MOXFIVE Monthly Insights - January 2025
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

Subscribe

January Highlights

Ransomware activity remained steady to start 2025, with Ransomware-as-a-Service (RaaS) operations continuing to drive attacks. Akira, Lynx, and RansomHub were among the most active ransomware variants in January. The month also saw continued exploitation of vulnerabilities, including Ivanti Connect Secure (CVE-2025-0282) and Oracle WebLogic Server (CVE-2025-21535), which was leveraged by Hunters International for initial access.

Top Threats section

Phishing emails, VPN vulnerabilities, lack of MFA, software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

  • Ivanti Connect Secure Vulnerability (CVE-2025-0282): Exploited since December, this vulnerability allows unauthenticated remote code execution. Although it was publicly disclosed in January 2025, attackers began using it earlier to target secure remote access systems. For mitigation guidance, refer to the MOXFIVE Ivanti vulnerability alert.
  • Oracle WebLogic Server Vulnerability (CVE-2025-21535): Actively exploited by the Hunters International ransomware group for initial access, this critical flaw allows unauthenticated remote code execution via WebLogic’s T3 and IIOP (Internet Inter-ORB Protocol) services. Organizations using affected versions should apply the latest Oracle security patches.
Active Threat Actors section

In January, several ransomware groups remained active, with RaaS operations continuing to drive attacks across multiple industries. The most active were Akira, Lynx, and RansomHub.

  • Akira is an RaaS offering that remained one of the most widely used ransomware variants throughout 2024. Threat actors deploying Akira have targeted a range of industries and offered a "deliverable menu" of paid services, including decryptors and data deletion options. For more details, check out the MOXFIVE Akira Threat Actor Spotlight here.
  • Lynx, believed to be a rebrand of the INC ransomware group, has quickly established itself as a persistent ransomware operation. Operating under a RaaS model, Lynx employs double-extortion tactics, exfiltrating data before encrypting victim systems.
  • RansomHub, emerging in February 2024, RansomHub operates under a RaaS model, offering affiliates a 90% commission rate, one of the most competitive rates in the ransomware landscape. This has made it an attractive option for threat actors, leading to widespread adoption. For more details, check out the MOXFIVE RansomHub Threat Actor Spotlight here.

In January, Professional Services faced the highest ransomware activity, followed by Manufacturing & Production and Technology. Healthcare remained a frequent target, while attacks on Food & Beverage highlighted continued risks to supply chain operations. These rankings are based on observed ransomware data leak site activity for impacted organizations in the United States.

MOXFIVE recently observed a Qilin ransomware incident where brute-force attacks were used to gain initial access through a VPN appliance with compromised credentials. The threat actor repeatedly attempted login attempts until successful, ultimately accessing the network and moving laterally. Once inside, they deployed Qilin ransomware to encrypt ESXi hosts, impacting multiple virtual machines and disrupting operations.

Qilin is a RaaS operation that first emerged in July 2022, originally known as Agenda. The group provides affiliates with customizable ransomware, enabling them to tailor attacks to specific targets. Qilin has been used in attacks against large enterprises and high-value sectors, including healthcare and education, often leveraging double extortion by demanding payment for both decryption and the non-release of stolen data.

This incident underscores the importance of securing remote access points against brute-force attacks. Multifactor Authentication (MFA) is a critical defense, preventing unauthorized access even when credentials are compromised.

Resilience Spotlight section

Brute-force attacks remain a common tactic for gaining unauthorized access to corporate networks, especially through exposed VPN appliances and remote access services. Without additional security controls, attackers can exploit weak or compromised credentials to infiltrate organizations and deploy ransomware.

MFA is one of the most effective defenses against brute-force attacks. By requiring an additional verification step beyond a password, MFA significantly reduces the risk of unauthorized access, even if credentials are stolen or compromised. Benefits of MFA:

Organizations should enforce MFA on all remote access points, implement account lockout policies, and monitor authentication logs for signs of credential-based attacks. Additionally, geo-locking can restrict access to VPNs and remote services from countries where legitimate logins should not occur, reducing exposure to external threats. Combined with strong password policies and continuous monitoring, MFA remains a critical control in preventing ransomware incidents.