ReliaQuest’s report analyzed incidents from December 2024 to February 2025, revealing a surge in attacks by financially motivated actors targeting vulnerabilities in external remote services and internal phishing tactics. Key findings include increased VPN brute-forcing, MSHTA command abuses, and advancements in malware. Recommendations for improved cyber defenses include enabling specific detection rules and enhancing employee training against phishing. Affected: VPN services, remote desktop infrastructures, Microsoft Teams, financial sectors, retail trade
Keypoints :
- Significant rise (21.3%) in initial access attempts via VPN, RDP, and VDI.
- Brute-forcing of Administrator accounts via RDP was noted.
- MSHTA abuse for defense evasion increased by 7.8%.
- Internal phishing remains the predominant technique for lateral movement.
- The “Sneaky 2FA” phishing kit was first observed, simplifying business email compromises.
- CL0P ransomware emerged as the most active group during the reporting period.
- Retail sector saw a 153% increase in ransomware leak listings.
MITRE Techniques :
- TA0003: T1133 – External Remote Services: Detects unauthorized access attempts via brute-force on VPNs.
- TA0002: T1059.003 – Windows Command Shell, TA0005: T1218.005 – Mshta: Monitors execution of suspicious MSHTA commands to prevent defense evasion.
- TA0043: T1598.002 – Spearphishing Attachment, TA0008: T1534 – Internal Spearphishing: Detects phishing attacks where users are tricked into entering credentials.
- TA0001: T1190 – Exploit Public-Facing Applications, TA0003: T1505.001 – SQL Stored Procedures: Detects SQL injection attempts against databases.
Indicator of Compromise :
- [IP Address] 98.185.158.20
- [IP Address] 94.156.227.69
- [Domain] assets-gbr.mkt.dynamics.com
- [Email Address] [email protected]
- [Domain] human-verify.shop/xfiles/verify.mp4
Full Story: https://www.reliaquest.com/blog/threat-spotlight-cyber-attacker-techniques-dec-2024-to-feb-2025/
Views: 26