Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Hackers use RMM tools to breach freighters and steal cargo shipments

This sophisticated cybercrime campaign highlights a dangerous evolution in cargo theft, where digital compromise leads directly to the theft of physical goods. Threat actors are targeting the weakest links in the supply chain—specifically freight brokers and trucking carriers by deploying legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect and SimpleHelp. The attack typically begins with social engineering, often involving the use of compromised accounts on online load boards to post fraudulent shipments. When a legitimate carrier responds, they are tricked into clicking a malicious link (often delivered via a hijacked email thread), which installs the RMM tool. This technique is highly effective because it leverages trusted software, allowing the attacker to establish a persistent, low-profile foothold on the victim’s network without immediately triggering suspicion or anti-virus alerts.

Once the RMM tool is installed, the cybercriminals gain complete remote control over the victim’s system. They use this access to conduct network reconnaissance and deploy credential harvesting tools, enabling them to steal logins for essential freight management systems. With this insider access, the hackers can modify or delete existing booking emails, block dispatcher notifications, and effectively impersonate the carrier. This allows them to successfully bid on real, high-value cargo loads (such as electronics or food and beverage items) and coordinate the theft, rerouting the physical shipment for illicit resale. The successful execution of this scheme suggests a strong collaboration between technical cybercrime groups and traditional organized crime that handles the physical interception and distribution of the stolen goods.

To defend against this potent threat, organizations in the logistics and transportation sectors must tighten controls over widely used software. A key preventative measure is to restrict the installation of all unapproved RMM tools, ensuring only IT-vetted and confirmed applications are allowed on company endpoints. Furthermore, technical defenses should include robust network monitoring to detect unexpected connections to RMM servers and the implementation of email gateway rules to block common malicious file types, such as .EXE and .MSI executables, from unsolicited external senders. Finally, security awareness training is crucial, as the initial point of compromise relies heavily on social engineering and exploiting the trust inherent in urgent freight negotiations.

Projects

• TryHackMe – CyberChef: The Basics – Complete
• TryHackMe – CAPA: The Basics – In Progress

Videos

Articles

• Hackers use RMM tools to breach freighters and steal cargo shipments – Threat actors are targeting freight brokers and trucking carriers with malicious links and emails to deploy remote monitoring and management tools (RMMs) that enable them to hijack cargo and steal physical goods.
• ‘We got hacked’ emails threaten to leak University of Pennsylvania data – The University of Pennsylvania suffered a cybersecurity incident on Friday, where students and alumni received a series of offensive emails from various University email addresses, claiming that data was stolen in a breach.
• EY exposes 4TB+ SQL database to open internet for who knows how long – The Big Four biz’s big fat fail exposed a boatload of secrets online
• A Cybercrime Merger Like No Other — Scattered Spider, LAPSUS$, and ShinyHunters Join Forces – The nascent collective that combines three prominent cybercrime groups, Scattered Spider, LAPSUS$, and ShinyHunters, has created no less than 16 Telegram channels since August 8, 2025.
• U.S. Sanctions 10 North Korean Entities for Laundering $12.7M in Crypto and IT Fraud – The U.S. Treasury Department on Tuesday imposed sanctions against eight individuals and two entities within North Korea’s global financial network for laundering money for various illicit schemes, including cybercrime and information technology (IT) worker fraud.
• Amazon Equips Next Underwater Cable With ‘Robust Armoring’ to Prevent Cuts – The AWS ‘Fastnet’ cable will run from Maryland to Ireland, transporting over 320Tbps. Amid growing cable sabotage, however, ‘we’re burying this cable as deeply as possible,’ Amazon says.
• SonicWall says state-sponsored hackers behind security breach in September – SonicWall’s investigation into the September security breach that exposed customers’ firewall configuration backup files concludes that state-sponsored hackers were behind the attack.
• Hyundai AutoEver America data breach exposes SSNs, drivers licenses – Hyundai AutoEver America is notifying individuals that hackers breached the company’s IT environment and gained access to personal information.
• How a ransomware gang encrypted Nevada government’s systems – The State of Nevada has published an after-action report detailing how hackers breached its systems to deploy ransomware in August, and the actions taken to recover from the attack.
• 18 Arrested in Crackdown on Credit Card Fraud Rings – Between 2016 and 2021, the suspects defrauded 4.3 million cardholders in 193 countries of €300 million (~$346 million).
• ClickFix Attacks Against macOS Users Evolving – ClickFix prompts typically contain instructions for Windows users, but now they are tailored for macOS and they are getting increasingly convincing.
• Norway transport firm steps up controls after tests show Chinese-made buses can be halted remotely – A leading Norwegian public transport operator has said it will introduce stricter security requirements and step up anti-hacking measures after a test on new Chinese-made electric buses showed the manufacturer could remotely turn them off.
• U.S. Congressional Budget Office hit by suspected foreign cyberattack – The U.S. Congressional Budget Office (CBO) confirms it suffered a cybersecurity incident after a suspected foreign hacker breached its network, potentially exposing sensitive data.
• Samsung Zero-Click Flaw Exploited to Deploy LANDFALL Android Spyware via WhatsApp – A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a “commercial-grade” Android spyware dubbed LANDFALL in targeted attacks in the Middle East.

Podcasts