MOXFIVE Monthly Insights - February 2025
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

February Highlights

Ransomware activity increased in February, with threat actors expanding their tactics and continuing to exploit both technical and human vulnerabilities. RansomHub was observed leveraging CVE-2024-55591 to gain administrative access to Fortinet firewalls, while Clop sustained large-scale exploitation campaigns involving secure file transfer tools. MOXFIVE was also engaged with multiple clients that were targeted by a social engineering technique tied to Black Basta, using Microsoft Teams as an initial contact vector — underscoring the growing importance of user awareness as a first line of defense.

Phishing emails, VPN vulnerabilities, lack of MFA, software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

• Fortinet Authentication Bypass Vulnerability (CVE-2024-55591): This critical vulnerability affects multiple versions of FortiOS and FortiProxy, allowing unauthenticated attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. MOXFIVE identified the vulnerability being exploited by RansomHub in a February ransomware incident. Fortinet has released patches and mitigation guidance for CVE-2024-55591, available here.

Several ransomware groups remained highly active in February, continuing to evolve their tactics and capitalize on newly disclosed vulnerabilities.

• Clop was the most active ransomware group in February, continuing their large-scale exploitation campaigns, including exploitation of the Cleo Secure File Transfer vulnerability (CVE-2024-50623). The group is known for leveraging zero-day vulnerabilities and increasingly favoring mass data exfiltration over encryption in their extortion efforts.
  ‍
• RansomHub first emerged in February 2024 operating under a ransomware-as-a-service (RaaS) model, offering affiliates a 90% commission rate, one of the most competitive rates in the ransomware landscape. This has made it an attractive option for threat actors, leading to widespread adoption. For more details, check out the MOXFIVE RansomHub Threat Actor Spotlight here.
  ‍
• Akira is an RaaS offering that remained one of the most widely used ransomware variants throughout 2024, impacting organizations across most industries. Akira offers a unique "deliverable menu" of paid services, including decryptors and data deletion options. For more details, check out the MOXFIVE Akira Threat Actor Spotlight here.

Manufacturing remained the most frequently impacted industry in February, followed by Technology and Professional Services. Healthcare and Transportation & Logistics also saw elevated levels of ransomware activity, highlighting continued interest from threat actors in sectors with valuable data and operational urgency.

In February, MOXFIVE continued to observe an effective social engineering technique leveraged by the Black Basta ransomware group to impact environments. Fortunately, most companies with strong endpoint detection and response (EDR) tools had the malicious files blocked; however, this occurred only after users had granted access to a threat actor posing as IT helpdesk.

In this campaign, ransomware access brokers (RABs) impersonated IT helpdesk personnel using names like “Help Desk” or “Support Team.” The attackers leveraged public employee directories, LinkedIn profiles, and stolen credentials to identify targets. In some cases, victims were first signed up for spam email lists — a tactic used to create urgency. Threat actors then followed up with Teams messages or calls offering to help remediate the “issue,” a tactic dubbed Teams vishing. 

In known cases where this tactic was successful, the attackers guided users to download remote access tools such as AnyDesk or Quick Assist to gain initial access.

User awareness training remains one of the most effective defenses against social engineering-based attacks. In the recent Teams vishing campaigns, user awareness training has proven to be one way organizations can better protect against social engineering attempts and reduce the risk of initial access.

To strengthen resilience across the organization, consider the following actions:

• Simulate Targeted Campaigns: Run realistic simulations, including Teams-based social engineering, to test how users respond.
  ‍
• Strengthen Helpdesk Verification: Implement challenge-response or callback protocols to verify all internal support requests.
  ‍
• Control External Communication Channels: Review Microsoft Teams settings to restrict or block chats from external domains where appropriate.
  ‍
• Deploy SEG and ATP Controls for Communication Tools: Use Secure Email Gateways (SEGs) and Advanced Threat Protection (ATP) to block malicious messages, links, and files across email and collaboration platforms before they reach users.
  ‍
• Review Azure AD Enterprise Applications: Regularly audit third-party apps with access to your Microsoft 365 environment through the Azure AD portal to detect suspicious consent grants.
  ‍
• Provide Ongoing Awareness Training: Regularly train users to spot phishing, impersonation, and other social engineering tactics — and empower them to report suspicious activity.

As threat actors continue to innovate their initial access techniques, an alert and informed user base remains one of the most important components of a strong defense strategy.