RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: screenconnect (2 articles)Clear
threat
2026-05-04

Phishing campaign hit 80+ companies by getting employees to install legitimate remote-access software disguised as a Social Security letter

Securonix tracked a phishing campaign called VENOMOUS#HELPER that has hit 80+ organizations (mostly in the US) since April 2025 by getting employees to install legitimate remote-monitoring software they think is a Social Security Administration document. The lure is a fake SSA email asking the recipient to download their statement; the link points to a compromised Mexican business website hosting a SimpleHelp installer. Once installed, the attackers gain SYSTEM-level access, then quietly install ConnectWise ScreenConnect as a backup channel. The pattern aligns with initial-access broker activity: quiet persistence, then sale or hand-off to ransomware operators.

venomous-helperstac6405simplehelpscreenconnectrmm-abusessa-impersonationinitial-access-brokersecuronixsophosdual-channel-persistence
Check
Hunt every Windows endpoint for SimpleHelp and ConnectWise ScreenConnect installs not authorized by IT. Search proxy logs for connections to gruta.com.mx since April 2025.
Affected
Windows endpoints in organizations without strict application allowlisting. 80+ confirmed victims, mostly US, across multiple sectors. Acute risk: companies whose staff regularly receive government correspondence (SSA, IRS, state tax) where 'verify and download' lures feel routine. Initial access brokers run these campaigns to sell footholds, so any compromised host becomes a potential ransomware launchpad weeks later.
Fix
Enforce application allowlisting on Windows endpoints to block unapproved RMM software. Remove unauthorized SimpleHelp, ScreenConnect, PDQ Connect, LogMeIn Resolve, N-able, or Fleetdeck installs and treat the host as compromised. Block Securonix's published indicators (gruta.com.mx, server.cubatiendaalimentos.com.mx) at the network egress layer. Rotate credentials on affected hosts.
threat
2026-04-30

Hackers are stealing entire truckloads of cargo by phishing freight brokers - $725 million in losses last year alone, FBI warns

The FBI issued a public service announcement Wednesday warning that cyber-enabled cargo theft has surged 60% to $725 million in losses across the US and Canada in 2025. The pattern: criminals phish freight brokers and carriers via spoofed emails, install remote-monitoring software like ScreenConnect or Pulseway, then post fraudulent listings on freight load boards under the broker's identity. Real shippers respond, hand over high-value cargo, and the load is diverted to criminal-controlled drivers. The average theft is now $273,990 - a 36% jump from 2024. Cargo theft also funds drug trafficking and money laundering, not just direct resale.

fbi-psacargo-theftlogisticsfreightbrokerscarriersload-boardsscreenconnectdiesel-vortexproofpointorg-crime725m-losses
Check
If your organization ships, brokers, or carries freight, verify every shipment request through a second channel (phone call to a known number, not an email reply) before releasing cargo or accepting a new load.
Affected
US and Canadian shipping brokers, freight carriers, and shippers using online load boards. Particularly acute for mid-sized brokers with limited IT staff - they're easier to phish and have less monitoring of remote access tools. Food, beverage, and consumer goods shipments are most targeted because they're easy to resell.
Fix
Verify shipment requests through a second channel. Enforce MFA on load board accounts and email accounts. Monitor for unauthorized remote-monitoring software installs (ScreenConnect, Pulseway, SimpleHelp) on broker workstations - these are the standard attacker toolkit. Audit email for suspicious mailbox rules that auto-forward or auto-delete. File incidents with IC3 alongside police reports.