MSP Cyberthreat Report
2023
MSPs have unique cybersecurity challenges to secure their businesses and customers. This report covers these challenges specifically, using threat intelligence, insights, and predictions from the ConnectWise Cyber Research Unit (CRU). The report includes:
Major MSP-focused hacks in 2023
Emerging and continuing cyberattack trends
Top ransomware methods of threat actors
Action items for MSPs in 2024
Download the full report
On-demand webinar
Let's Dive Into the Data
The CRU reviewed data from about 2,300 ransomware incidents in 2022. Below are some of their findings.
Ransomware
Vulnerabilities
Cyberwarfare
Ransomware
Vulnerabilities
Cyberwarfare
Ransomware
Vulnerabilities
Cyberwarfare
In 2022, over 25,000 vulnerabilities disclosed were assigned a common vulnerabilities and exposures (CVE) number
Hover over the icons to find out the amount of security incidents by sector
1782
Construction
972
Finance
713
Hospitality
420
Education
1528
Real Estate
660
Non-Profit
1464
Transport
1515
Health
370
Telecom
2206
MSPs
Top 10 Business Sectors Targetted by Ransomware in 2022
Russian state sponsored APTs have been focused on defense contractors, critical infrastructure, government, and banking targets.
Get an in-depth look at the cyberthreat landscape
Threat Intelligence, Detection and Defense for MSPs and SMBs
Start my demo
Download the full report
See real-time threat detection & response in action
24/7 threat monitoring and response backed by ConnectWise SOC Solutions
![[url=http://www.istockphoto.com/search/lightbox/18181579]
[IMG]http://s1.zrzut.pl/Ag1lkAv.jpg[/IMG]
[/url]](https://media-s3-us-east-1.ceros.com/connectwise/images/2023/04/04/fea6fa7036b9ae8f009d4a9a82b69887/adobestock-493462340.jpeg)
Threat visibility and analysis backed by cutting-edge threat intelligence
eet the ConnectWise Cyber Research Unit
On tap cyber experts to address critical security incidents
![[url=http://www.istockphoto.com/search/lightbox/18181579]
[IMG]http://s1.zrzut.pl/Ag1lkAv.jpg[/IMG]
[/url]](https://media-s3-us-east-1.ceros.com/connectwise/images/2023/04/03/bbf58bb86b8e2fa144d219b95abaa109/dsc09304.jpg)
What to do about it
Top Ransomware Targeting MSPs
0
10%
20%
30%
40%
Locker
Bit
CIOp
Hive
Mount
Locker
Conti
Cuba
Everest
Black
Basta
Snatch
Stormous
Black
Cat
Kelvin
Security
Ragnar
Locker
LockerBit - 42%
CIOp - 11%
Hive - 6%
Mount Locker - 6%
Conti - 4%
Cuba - 4%
Everest - 4%
Black Basta - 4%
Snatch - 4%
Stormous - 4%
Black Cat - 3%
Kelvin Security - 3%
Ragnar Locker - 3%
Ransomware softwares targetting MSPS
Total # of ransomware targetting MSPS
January 11, 2022
January 11, 2022
January 11, 2022
April 13, 2022
CVE-2022-21907
HTTP Protocol Stack Remote Code Execution Vulnerability.
CVE-2022-22957 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain 2 remote code execution vulnerabilities.
CVE-2022-218551 - Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21969.
CVE-2022-218461 - Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21855, CVE-2022-21969.
January 11, 2022
CVE-2022-22955 - VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework.
April 13, 2022
CVE-2022-22959 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability.
April 13, 2022
CVE-2022-22958 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958).
April 13, 2022
CVE-2022-22956 - VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework.
April 13, 2022
CVE-2022-22961 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information.
April 13, 2022
CVE-2022-22960 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts.
June 21, 2022
CVE-2022-22954 - VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection.
June 21, 2022
CVE-2022-30138 - Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29104, CVE-2022-29132.
May 18, 2022
CVE-2022-26925
Windows LSA Spoofing Vulnerability.
May 10, 2022
CVE-2022-26809 - Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24492, CVE-2022-24528.
April 15, 2022
CVE-2022-3236 - A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.
Sept 23, 2022
CVE-2022-32548 - An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1. /cgi-bin/wlogin.cgi has a buffer overflow via the username or password to the aa or ab field.
August 29, 2022
CVE-2022-22280 - Improper Neutralization of Special Elements used in an SQL Command leading to Unauthenticated SQL Injection vulnerability, impacting SonicWall GMS 9.3.1-SP2-Hotfix1, Analytics On-Prem 2.5.0.3-2520 and earlier versions.
July 29, 2022
CVE-2022-30190 - A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.
June 21, 2022
CVE-2022-26134 - Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution.
June 21, 2022
CVE-2022-41091 - Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41049.
Nov 9, 2022
CVE-2022-41080 - Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41123.
Nov 9, 2022
CVE-2022-41082 - Microsoft Exchange Server Remote Code Execution Vulnerability.
Oct 3, 2022
CVE-2022-41040 - Microsoft Exchange Server Elevation of Privilege Vulnerability.
Oct 3, 2022
Malware Used in the Russia-Ukraine War
2
3
In 2022 there were 18 CVEs published related to Microsoft Exchange
Best practices for MSPs with on-premises Exchange include timely deployment of the latest Exchange patches, prohibiting domain admin access for email users, and putting Outlook Web Access behind a VPN to prevent unauthorized access if n 2022 there were 18 CVEs possible.
1
The Internet of Things (IoT) is rapidly increasing the number of connected devices globally, which poses new security challenges. IoT devices often run outdated software because they are frequently overlooked by patch management policies focusing only on servers and workstations.
Phishing is still one of the most common methods used by threat actors for initial access. The most prominent method observed in 2022 was the use of LNK files. They are simple to craft, appear innocuous, allow nearly arbitrary execution, and do not incur many of the Mark of the Web defenses in Office documents.
CVEs
IoT
Phishing
Hover over the cards to learn more
CVE-2022-219691 - Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855.
Vulnerabilities in Review
Vulnerabilities Commonly Exploited
Vulnerabilities Timeline
CVE-2022-41091 - Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41049.
Nov 9, 2022
CVE-2022-41080 - Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41123.
Nov 9, 2022
CVE-2022-41082 - Microsoft Exchange Server Remote Code Execution Vulnerability.
Oct 3, 2022
CVE-2022-41040 - Microsoft Exchange Server Elevation of Privilege Vulnerability.
Oct 3, 2022
CVE-2022-3236 - A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.
Sept 23, 2022
CVE-2022-32548 - An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1. /cgi-bin/wlogin.cgi has a buffer overflow via the username or password to the aa or ab field.
August 29, 2022
CVE-2022-22280 - Improper Neutralization of Special Elements used in an SQL Command leading to Unauthenticated SQL Injection vulnerability, impacting SonicWall GMS 9.3.1-SP2-Hotfix1, Analytics On-Prem 2.5.0.3-2520 and earlier versions.
July 29, 2022
CVE-2022-30190 - A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.
June 21, 2022
CVE-2022-26134 - Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution.
June 21, 2022
CVE-2022-22960 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts.
June 21, 2022
CVE-2022-22954 - VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection.
June 21, 2022
CVE-2022-30138 - Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29104, CVE-2022-29132.
May 18, 2022
CVE-2022-26925
Windows LSA Spoofing Vulnerability.
May 10, 2022
CVE-2022-26809 - Remote Procedure Call Runtime Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24492, CVE-2022-24528.
April 15, 2022
CVE-2022-22955 - VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework.
April 13, 2022
CVE-2022-22959 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability.
April 13, 2022
CVE-2022-22958 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958).
April 13, 2022
CVE-2022-22956 - VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework.
April 13, 2022
CVE-2022-22961 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information.
April 13, 2022
CVE-2022-22957 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain 2 remote code execution vulnerabilities.
April 13, 2022
CVE-2022-218461 - Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21855, CVE-2022-21969.
January 11, 2022
CVE-2022-21907
HTTP Protocol Stack Remote Code Execution Vulnerability.
January 11, 2022
CVE-2022-218551 - Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21969.
January 11, 2022
CVE-2022-219691 - Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855.
January 11, 2022
We recommend an audit of your systems and your clients’ systems for the vulnerabilities below, especially for organizations related to critical infrastructure, government, defense contractors, and financial institutions.
1
CVE-2018-13379
FortiGate VPNs
CVE-2019-1653
Cisco router
2
CVE-2019-2725
Oracle WebLogic Server
3
Kibana
Zimbra software
5
Exim Simple Mail
6
4
CVE-2020-0688
Microsoft Exchange
9
CVE-2019-19781
Citrix
8
Pulse Secure
7
CVE-2020-4006
VMWare
10
CVE-2020-5902
F5 Big-IP
11
CVE-2020-14882
Oracle WebLogic
12
CVE-2021-26855
Microsoft Exchange
13
CVE-2019-7609
CVE-2019-9670
CVE-2019-10149
CVE-2019-11510
Note: This vulnerability is frequently observed used in conjuction with CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065
Note: This was a zero-day at time
Cyberwarfare
Explore the ways you can protect your house, below:
Top Ransomware Targetting MSPs
Explore the ways you can protect your house, below:
In 2022, over 25,000 vulnerabilities disclosed were assigned a common vulnerabilities and exposures (CVE) number
Top Ransomware Targetting MSPs
We recommend an audit of your systems and your clients’ systems for the vulnerabilities below, especially for organizations related to critical infrastructure, government, defense contractors, and financial institutions.
Vulnerabilities in Review
Meet the ConnectWise Cyber Research Unit
Meet the ConnectWise Cyber Research Unit
Q1-24
Cyberthreats are advancing—are you staying a step ahead?
Cybersecurity threat actors constantly adapt to ensure their malware, viruses, and other potential cyberthreats are able to evade detection and slip past your defenses.
Download
Ongoing information to keep you up to speed.
Quarterly updates
Read the quarterly updates to stay informated
Q3-24
Cybersecurity threats are constantly evolving—are you?
The Q3 Update addresses any updates or changes to the cybersecurity landscape throughout Q3 of 2024 that could impact MSPs, as well as important reminders of threat indicators to look out for.
Download
Q1-24
Cyberthreats are advancing—are you staying a step ahead?
Cybersecurity threat actors constantly adapt to ensure their malware, viruses, and other potential cyberthreats are able to evade detection and slip past your defenses.
Download
Q2-24
Understanding the latest trends and activities is crucial for proactively fortifying your defenses.
By examining the tactics, techniques, and procedures employed by threat actors, we aim to equip you with strategic recommendations to enhance your organization’s cybersecurity posture.
Download