February 2025 Cybersecurity Consulting Updates and Ransomware Activity – Source:levelblue.com

Each month, we break down critical cybersecurity developments, equipping security professionals with actionable intelligence to strengthen defenses. Beyond threat awareness, this blog also provides insights into incident readiness and response, drawing from real-world experiences in consulting cybersecurity services. Learn how organizations can proactively prepare for cyber incidents, mitigate risks, and enhance their resilience against evolving attack vectors. Whether you’re refining your security posture or responding to active threats, our blog delivers the expertise and strategic guidance to stay prepared in today’s dynamic threat landscape.

Here’s a high-level overview of the latest cybersecurity updates and ransomware threats for February 2025, to inform businesses and tech users about key risks. For detailed, technical insights, refer to the accompanying PowerPoint briefing available at Incident Response & Digital Forensics.

The major tech companies released security updates addressing 284 vulnerabilities. Key facts include:

• Microsoft patched 67 vulnerabilities, including four critical flaws and two actively exploited bugs in Windows, patched on February 11, 2025.
• Apple fixed 16 vulnerabilities, including two critical flaws actively exploited in iOS and iPadOS, patched on January 27 and February 10, 2025.
• Adobe addressed 45 vulnerabilities, including 23 critical flaws in products like InDesign and Commerce, patched on February 11, 2025.
• Google resolved 68 to 69 vulnerabilities in Android and Chrome, including two critical flaws and one actively exploited bug in Android, patched on February 3 for Android and January 15 and February 5, 2025, for Chrome.
• Cisco patched 17 vulnerabilities, including two critical flaws in its Identity Services Engine, updated on February 5–6, 2025.
• SAP fixed 19 vulnerabilities, including six high-severity flaws in business intelligence and enterprise software, patched on February 11, 2025.
• Palo Alto Networks resolved 10 vulnerabilities, including four high-severity flaws and two actively exploited bugs in PAN-OS, patched on February 12, 2025.

CISA added 12 vulnerabilities to its Known Exploited Vulnerabilities Catalog, all actively exploited, affecting Microsoft, Apple, Google, and Palo Alto products.

In the last month, the Clop ransomware group claimed 347 victims, targeting industries like retail, logistics, finance, and healthcare. Clop exploited vulnerabilities in Cleo’s file transfer products, Harmony, VLTrader, and LexiCom, specifically CVE-2024-50623 (unpatched, allowing remote code execution) and CVE-2024-55956 (largely patched, allowing remote code execution), impacting over 4,200 organizations globally, with 63–79% of exposed instances in the U.S.

From January 28 to February 27, 2025, the Clop ransomware group claimed 347 victims, targeting industries like retail, logistics, finance, and healthcare. Clop, first detected in February 2019, operates as a Ransomware-as-a-Service (RaaS) model, managed by the FANCYCAT group, linked to financially motivated actors like FIN11 and TA505. It gained notoriety through high-profile attacks using double and triple extortion, encrypting files (e.g., with .clop extensions) and leaking data on its Tor-hosted leak site if ransoms are unpaid, demanding up to $20 million per victim. Clop exploited zero-day vulnerabilities in file transfer tools, including Accellion FTA (2020), GoAnywhere MFT (2023), and MOVEit Transfer (2023), impacting over 1,000 organizations. In 2024, Clop targeted Cleo’s file transfer products, Harmony, VLTrader, and LexiCom, exploiting CVE-2024-50623 (unpatched, allowing remote code execution) and CVE-2024-55956 (largely patched, allowing remote code execution), driving its surge to 347 victims. CVE-2024-50623 remains unpatched, affecting over 4,200 Cleo users globally, with 63–79% of exposed instances in the U.S.

Lessons Learned from February 2025 Cybersecurity Threats

The recent wave of cybersecurity updates and ransomware activity has underscored several key lessons that can help businesses and individuals better defend against emerging threats. Here are the critical takeaways:

The Importance of Timely Patching

• Vulnerabilities are often exploited quickly: As seen with Clop and other threat actors, vulnerabilities in widely-used software are often exploited almost immediately after they are discovered. Timely patching is critical to preventing such exploitation.
• Zero-day vulnerabilities: The discovery of unpatched flaws, like CVE-2024-50623 in Cleo’s file transfer products, shows how unpatched vulnerabilities can become a gateway for attackers. It is essential to implement an effective patch management process that prioritizes addressing critical flaws as soon as updates are released.

Ransomware-as-a-Service (RaaS) is a Growing Threat

• The rise of RaaS: The Clop ransomware group, which operates under the RaaS model, highlights a shift in how ransomware attacks are being carried out. These groups lower the barrier to entry for cybercriminals, making it easier for less sophisticated attackers to execute sophisticated attacks.
• Targeting critical sectors: The industries affected by Clop (e.g., healthcare, logistics, retail, and finance) underscore the need for enhanced protection in sectors handling sensitive data. These sectors are often more vulnerable because they may have outdated security measures or insufficient resources to implement cutting-edge protection.

Double and Triple Extortion Tactics

• Data exfiltration is as dangerous as encryption: The growing trend of double and triple extortion is a reminder that ransomware attacks are no longer just about file encryption. Cybercriminals are increasingly stealing data before encryption, and threatening to release it unless ransoms are paid. This highlights the importance of not only encrypting files but also securing sensitive data through comprehensive encryption and access controls.

Zero Trust Security Models Are Key

• Adopting Zero Trust: As we see the increasing sophistication of ransomware groups like Clop, it’s clear that zero trust models are critical in preventing lateral movement within networks. Zero trust ensures that no device or user is automatically trusted, even if they are inside the network perimeter. This approach helps mitigate the impact of breaches when attackers gain initial access.

Regular Vulnerability Assessments

• Proactive vulnerability hunting: Regular vulnerability assessments and penetration testing are essential in identifying and addressing potential flaws before they are exploited. The vulnerabilities in file transfer tools such as Accellion FTA, GoAnywhere MFT, and MOVEit Transfer show that seemingly minor software flaws can lead to widespread damage if not promptly identified and patched.

Communication with Third-Party Vendors

• Vendor risk management: Clop’s use of vulnerabilities in third-party software like Cleo’s file transfer products stresses the need for third-party risk management. Organizations need to maintain strong relationships with their vendors to ensure that they’re addressing vulnerabilities in their products quickly and providing timely updates. Regularly reviewing and auditing the security posture of vendors is essential for maintaining a secure ecosystem.

Employee Education and Awareness

• Human error remains a weak link: Even with technical defenses in place, human error continues to be a significant vulnerability. Employee education on phishing, social engineering, and basic security hygiene is essential. Ensuring staff is trained to recognize suspicious emails, attachments, or links can prevent ransomware from gaining initial access to networks.

Incident Response Plans Are Crucial

• Preparedness is key: Cybercriminals, particularly ransomware groups, operate with speed. A well-defined incident response plan can drastically reduce the time it takes to respond to an attack and minimize its impact. Regular testing of these plans through tabletop exercises or simulated attacks can help ensure that your team is ready to act quickly in the event of a breach.

Conclusion

The cybersecurity landscape is becoming increasingly complex, with ransomware groups like Clop exploiting unpatched vulnerabilities and using sophisticated tactics to extort businesses. By learning from these incidents, organizations can better prepare themselves by implementing a robust patch management system, adopting zero trust security models, proactively assessing vulnerabilities, and ensuring that employees are educated and prepared for potential cyber threats. Cyber resilience is no longer optional—it’s essential for protecting both sensitive data and business continuity in today’s digital world.

For more information on how LevelBlue’s Incident Readiness and Response services can help your organization, please contact our cybersecurity consultants at caas-irf@levelblue.com