Report: Why Managed Service Providers Are Now Ground Zero for Attacks

{
  "text": "# MSP Compromise as First-Order Vendor Risk: Why Board-Level Governance Frameworks Are Failing\n\n## Framing\n\nManaged Service Providers have transitioned from operational dependencies to deliberate attack vectors—yet most organizations continue to treat MSP relationships as commodity vendor engagements rather than security perimeters. The ConnectWise 2025 MSP Threat Report, analyzed by Cam Sivesind, reveals a structural governance failure with direct implications for board-level vendor risk oversight, contractual liability allocation, and regulatory notification obligations under NIS2 and DORA. When an MSP is compromised, liability cascades across dozens of client organizations simultaneously, yet contractual frameworks and incident response plans rarely account for this multiplier effect. This asymmetry represents one of the most underestimated concentration risks in modern supply chain security.\n\n## The Deliberate Targeting of MSPs as Force Multipliers\n\nThreat actors have fundamentally shifted strategy. Rather than attacking well-defended enterprises directly, attackers now compromise MSPs to reach dozens or hundreds of downstream small and midsized business (SMB) customers through a single breach. This represents a deliberate pivot toward efficiency and scale. MSPs occupy a uniquely dangerous intersection: they manage high-privilege remote access tools, support multiple clients on shared infrastructure, and often operate with fewer dedicated security resources than large enterprises. A single compromise cascades across customer environments simultaneously, creating what the report characterizes as a concentration of risk rather than distributed defense.\n\nThe post-LockBit ransomware ecosystem illustrates this evolution. Following the coordinated law enforcement takedown in early 2025, threat actors did not retreat—they fragmented. LockBit offshoots like \"NotLockbit\" emerged alongside new players such as BianLian and CosmicBeetle. Critically, attackers shifted targeting patterns away from large enterprises toward mid-sized organizations and MSP-managed environments to avoid law enforcement scrutiny. This tactical adjustment directly increases MSP compromise frequency and expands the attack surface for organizations with limited in-house security maturity. For governance teams, this means MSP compromise risk is no longer a tail-risk scenario—it is an active, sustained threat vector.\n\n## Remote Access Tools as Privileged Attack Surfaces\n\nThe ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709) exemplify a critical governance blind spot. These remote access tools operate at privileged levels with minimal client visibility and are patched reactively rather than proactively. CVE-2024-1709, rated CVSS 10.0 (authentication bypass), allowed attackers unauthorized access to MSP environments—precisely the infrastructure clients depend on for security operations. Cloud instances were secured within 48 hours, but unpatched on-premises systems remained heavily exploited, forcing U.S. CISA to add the vulnerability to its Known Exploited Vulnerabilities catalog.\n\nThis creates a circular dependency that most organizations have not quantified contractually: the vendor responsible for patching remote access infrastructure is simultaneously the vector through which it can be exploited. Service level agreements specify patch timelines in days or weeks, yet zero-day windows operate in hours. Organizations face a documented liability exposure—if an MSP-managed remote access tool is compromised and used to breach client systems, responsibility allocation becomes contested. Contractual frameworks rarely specify who bears liability for delayed patching, forensic investigation costs, or downstream client notification obligations. This gap represents a material governance and insurance coverage risk.\n\n## Data Exfiltration, Backup Compromise, and Multi-Jurisdictional Notification Complexity\n\nA critical evolution in threat tactics is the rise of pure data exfiltration without encryption. Groups like RansomHub steal data and threaten public disclosure without encrypting systems, bypassing controls designed to detect ransomware behavior. For MSPs, this tactic is particularly damaging because MSPs routinely hold client backups, configurations, credentials, and sensitive operational data. A single MSP compromise triggers notification obligations across multiple jurisdictions simultaneously—each with different timelines, thresholds, and regulatory requirements.\n\nUnder NIS2 and DORA, organizations must verify their MSP maintains equivalent security controls and cyber liability insurance. Yet most lack contractual mechanisms to enforce this verification or to obtain timely forensic findings from the MSP following an incident. Notification complexity compounds when clients lack visibility into the MSP's incident timeline, containment actions, or forensic conclusions. Organizations may be unable to determine whether their data was exfiltrated, when, or by whom—creating regulatory reporting uncertainty. This represents a material gap between contractual obligations and practical incident response capability. Governance teams should stress-test notification scenarios assuming MSP compromise and verify cyber liability coverage explicitly addresses MSP-originated breaches affecting multiple clients simultaneously.\n\n## Edge Device Vulnerabilities and Supply Chain Attack Propagation\n\nThe report documents more than 84,000 alerts targeting edge device vulnerabilities across MSP-managed environments in 2024 alone, with roughly 60% involving vulnerabilities disclosed that same year. Common targets included VPNs, SSL gateways, firewalls, managed file transfer platforms, and exposed remote services. Threat actors exploit unpatched edge software, misconfigurations, weak credentials, and zero-day vulnerabilities in perimeter technologies. For MSPs, edge security failures become supply chain attacks by default, enabling lateral movement into customer networks.\n\nThis represents a second-order governance failure: organizations audit their own edge security posture but delegate edge device management to MSPs under generic service agreements. Patch management cadence, vulnerability disclosure processes, and containment procedures are rarely specified contractually or monitored continuously. When an MSP-managed edge device is compromised, clients often lack forensic visibility into how long the device was exposed, what data transited the compromised perimeter, or what lateral movement occurred downstream. Governance teams should require contractual provisions specifying MSP edge device patch timelines, mandatory EDR deployment on perimeter infrastructure, and real-time alerting for critical vulnerability exploitation.\n\n## EDR Evasion and the Insufficiency of Point Security Solutions\n\nOne of the most alarming trends documented in the report is the rise of purpose-built \"EDR killer\" tools. The ConnectWise Cyber Research Unit observed widespread use of techniques designed to disable or evade endpoint detection before deploying payloads. Tools including EDRKillShifter, Terminator, AuKill, EDRSilencer, and EDRSandBlast employ BYOVD (Bring Your Own Vulnerable Driver) attacks, kernel-level exploits, and abuse of legitimate utilities such as TDSSKiller. These techniques allow attackers to persist undetected, exfiltrate data, and deploy ransomware with minimal resistance.\n\nThe implication is stark: EDR alone is no longer sufficient as a security control. Yet many organizations—and their MSPs—continue to treat EDR as a primary detection mechanism without layering tamper protection, network telemetry, SIEM correlation, and zero-trust principles. For MSPs managing multiple client environments, this creates a compounding risk: a single EDR evasion technique can be weaponized across dozens of customer networks simultaneously. Governance teams should require MSPs to implement defense-in-depth architectures that assume EDR compromise and include network-level detection, behavioral analytics, and privileged access management controls independent of endpoint tools.\n\n## Cybersol's Governance Perspective\n\nOrganizations have not mapped data flows through MSP relationships, stress-tested incident response against MSP compromise scenarios, or verified cyber liability coverage for MSP-originated breaches affecting multiple clients. Vendor risk questionnaires remain generic and do not address MSP-specific vectors such as remote access vulnerabilities, edge device management, EDR evasion techniques, or backup infrastructure security. Scenario-based risk assessments assuming MSP compromise should inform both contractual negotiations and incident response planning.\n\nA critical oversight: most organizations lack contractual provisions requiring MSPs to maintain cyber liability insurance with coverage limits reflecting the multiplier effect of MSP compromise. When an MSP breach affects 50 downstream clients, insurance coverage designed for single-organization incidents becomes inadequate. Contractual frameworks should specify MSP insurance minimums, require named additional insured status for clients, and establish clear liability allocation for delayed patching, forensic investigation, and notification costs. Additionally, organizations should require MSPs to maintain and regularly test incident response playbooks that account for multi-tenant impact and parallel notification obligations across multiple jurisdictions.\n\nThe rise of EDR evasion techniques and data exfiltration tactics also reveals a governance gap in security tool selection. Organizations should require MSPs to deploy security solutions with built-in tamper protection, kernel-level monitoring, and behavioral analytics—not just endpoint detection. Patch management must be treated as an existential priority with contractual enforcement mechanisms, including penalties for delayed