IR playbook: RMM abuse in trucking/logistics, plus Apple and Android patch priorities (Nov 2025)

SANS ISC’s Stormcast on November 5, 2025 highlighted three items responders should act on: Apple’s latest cross-portfolio security updates, Google’s November Android security bulletin with a critical System RCE, and active criminal use of legitimate remote management tools (RMM) against trucking and logistics firms. Patch scheduling and RMM governance should be on the same ticket for this week’s change window. (SANS Stormcast 2025-11-05, Android Nov 2025 bulletin).

Apple shipped Safari 26.1 on November 3 with multiple WebKit memory-safety fixes, and broader OS updates (iOS/iPadOS 26.1, watchOS/tvOS/visionOS 26.1) that include additional WebKit issues; SANS notes Apple’s set also includes memory-corruption bugs in ImageIO and FontParser-classes historically associated with code-execution vectors-so prioritize roll-out. (Apple Safari 26.1, visionOS 26.1 WebKit entries, SANS diary summary). Google’s November 2025 Android bulletin calls out a critical RCE in the System component requiring no additional privileges and no user interaction; push devices to security patch level 2025-11-01 or later. (Android Nov 2025 bulletin).

Intrusion Flow

• Initial access: phishing into carriers/brokers, then delivery of legitimate RMM as the first payload to blend into IT operations. Proofpoint tracks campaigns where access is monetized to hijack freight bidding and ultimately steal physical cargo. (Proofpoint logistics report, 2025-11-03).
• Establish foothold: install or drop portable RMM (e.g., ScreenConnect/ConnectWise Control, AnyDesk) for persistence and interactive control; criminals prefer legitimate tools to evade malware-based detections. (CISA AA23-025A).
• Lateral movement and staging: use the initial firm’s credentials/sessions to post fraudulent loads and phish peers in the transportation ecosystem, expanding access and reconnaissance for high-value shipments. (Proofpoint logistics report).
• Objective: learn shipment specifics and timing; coordinate real-world theft informed by digital access. (Proofpoint logistics report).

Key Artifacts to Pull

• Windows eventing for execution/persistence
  • Security 4688 (process creation) for installer and client lifecycles of RMM; enable command line auditing. (Microsoft 4688, Advisory 3004375 command line logging).
  • Security 4697 (a service was installed) for persistent RMM services; triage file path, start type, and account. (Microsoft 4697).
  • Sysmon events if present: 1 (ProcessCreate), 3 (NetworkConnect), 6 (DriverLoad), 7 (ImageLoad) to tie processes to network egress and module loads. (Sysmon documentation).
• RMM-specific traces
  • ScreenConnect/ConnectWise Control client installs typically under “C:\Program Files (x86)\ScreenConnect Client (INSTANCEID)\…”, where INSTANCEID maps back to the server; use the instance thumbprint in the path to separate approved vs unapproved servers. (Naverisk KB on ScreenConnect paths/thumbprint, Blumira detection notes on INSTANCE ID).
  • AnyDesk logs: pull %ProgramData%\AnyDesk\ad_svc.trace (service) and %AppData%\AnyDesk\ad.trace (UI) along with connection_trace.txt for session metadata (auth mode, timestamps, remote IDs). (AnyDesk trace file locations).
  • ConnectWise ScreenConnect server installs default to C:\Program Files (x86)\ScreenConnect on Windows servers; useful when auditing self-hosted infrastructure. (ConnectWise server default path).
• Vulnerability/KEV context
  • February 2024 ScreenConnect auth bypass (CVE-2024-1709) remains a high-value reference point for abused RMM infrastructure; verify patching and exposure if you operate or inherit ScreenConnect. (CISA KEV alert on CVE-2024-1709).

Detection Notes

• Create an allow-list for sanctioned RMM domains, certificates, and instance IDs. Alert on:
  • New service installs (4697) where ServiceFileName contains ScreenConnect.ClientService.exe or paths like “C:\Program Files (x86)\ScreenConnect Client (…)", and AnyDesk service activity with AnyDesk traces present but no corresponding change ticket. (Microsoft 4697, Naverisk ScreenConnect instance path, AnyDesk trace file locations).
  • Process creation (4688/Sysmon 1) of ScreenConnect.WindowsClient.exe / ScreenConnect.ClientService.exe or AnyDesk.exe outside of approved maintenance windows. (Microsoft 4688, Sysmon).
  • Sysmon 3 egress from RMM processes to non-approved hostnames/IPs; bind detections to known vendor clouds or your self-hosted FQDNs. (Sysmon Event 3 description).
• Treat portable RMM executables as a separate class: they won’t create services (no 4697) but will show up in 4688/Sysmon 1 and network telemetry; CISA explicitly warns of this bypass path. (CISA AA23-025A).
• Consider sector-specific lures: monitor for processes spawning PDF viewers/browser downloads followed by RMM client execution when users interact with load boards and carrier portals. (Proofpoint logistics report).

Example hunting fragments (adapt to your SIEM):

// Windows Security log
index=wineventlog EventCode=4697 OR EventCode=4688
| eval path=coalesce(ServiceFileName, NewProcessName)
| search path="*ScreenConnect*" OR path="*AnyDesk*"
| stats earliest(_time) as first_seen latest(_time) as last_seen values(path) by host, user, EventCode

// Sysmon Event ID 3 (NetworkConnect)
index=sysmon EventCode=3 Image IN ("*ScreenConnect*","*AnyDesk*")
| where NOT like(DestinationHostname, "%your-approved-rmm.example.com%")

Response Guidance

• Patching priorities this week
  • Apple: roll out iOS/iPadOS 26.1, macOS-family equivalents, and Safari 26.1 to close WebKit and related memory-safety issues; SANS notes additional ImageIO/FontParser memory corruption in this cycle. (Apple Safari 26.1, SANS diary).
  • Android: target security patch level 2025-11-01+; the bulletin’s most severe item is a critical, no-interaction RCE in System. (Android Nov 2025 bulletin).
• Eradication and hardening for RMM abuse
  • Inventory and approve: maintain a definitive list of permitted RMM products, server FQDNs, and instance IDs; block everything else by egress policy and application control. (CISA AA23-025A).
  • Validate ScreenConnect lineage: confirm your ScreenConnect servers are current and not exposed with legacy vulnerable builds (e.g., 2024 auth bypass). If you discover unknown ScreenConnect “Client (INSTANCEID)” paths, map the INSTANCEID to its server and isolate the host. (CISA KEV CVE-2024-1709, Naverisk INSTANCEID path).
  • Pull RMM logs before removal: collect AnyDesk ad_svc.trace / ad.trace and ScreenConnect client directories to preserve session metadata and operator IDs. (AnyDesk trace file locations, Naverisk ScreenConnect path).
  • Contain identity risk: reset credentials used during RMM sessions, rotate tokens for logistics portals/broker platforms, and invalidate saved sessions in browsers. (Proofpoint logistics report).
  • Tighten monitoring: require just-in-time approvals for sanctioned RMM use, alert on off-hours access, and log video/clipboard/file-transfer where policy allows. (CISA AA23-025A).

Takeaways

• Ship Apple’s November updates and Safari 26.1 across managed fleets; WebKit and related memory-safety fixes are in scope. (Apple Safari 26.1, SANS diary).
• Push Android devices to patch level 2025-11-01+ to address the critical System RCE. (Android Nov 2025 bulletin).
• Treat all RMM as privileged software: enforce allow-lists by product, server, and instance ID; hunt and quarantine anything else. (CISA AA23-025A).
• Collect the right artifacts before cleanup: 4697/4688, Sysmon, ScreenConnect client folders, AnyDesk traces, and browser/session data tied to freight platforms. (Microsoft 4697, Microsoft 4688, Sysmon, AnyDesk trace files, Naverisk ScreenConnect path).