There are at least two notable findings that should concern MSPs within ConnectWise’s most recent MSP Threat Report, which draws from millions of endpoint detection and response (EDR) and security information and event management (SIEM) alerts across thousands of MSPs and their clients to gauge trends within cybersecurity. For starters, “MSPs are increasingly in the crosshairs of attackers targeting the IT ecosystem,” warned the report. Instead of risking the government and media attention that tends to come with attacking larger entities, threat actors are shifting interest to several smaller payloads and are using MSPs – which may have fewer cybersecurity resources – as gateways to attack all their small and midsized (SMB) customers, said the ConnectWise research team. “Additionally, they are shifting tactics more quickly to try and find vulnerabilities faster than MSPs can fix them.”
Secondly, threat actors increasingly are focusing their attention on the network edge, the report continued, underscoring the expanding attack surface that MSP must defend. While phishing continues to be the prevalent attack vector, “vulnerabilities in edge devices provide an alternative and often highly effective method for compromising company networks,” said the ConnectWise research unit.
While edge devices such as firewalls, VPNs, RDP gateways, cloud edge solutions and IoT devices often are the first line of defense against cyberthreats, bad guys “are consistently exploiting flaws in these devices to gain initial access to networks,” often leveraging them as entry points for ransomware campaigns and other post-compromise activities, said the report.
Indeed, ConnectWise noted a “sharp increase” since January 2024, in attempted attacks on edge devices, including more than 84,000 recorded alerts targeting specific vulnerabilities in major brands such as Cisco, SonicWall, Palo Alto, Citrix, Check Point and Ivanti.
Of course, as remote work becomes the norm, hybrid cloud environments proliferate and organizations expand their digital footprints, the importance of securing edge systems cannot be overstated, as their security directly impacts the integrity of the entire network. Perhaps that partly explains the increasing popularity of secure access service edge (SASE), which according to Gartner surveys has been adopted already by 39 percent of enterprises, with 60 percent having a clear-cut strategy to adopt SASE in 2025. A top driver for SASE adoption, after all, is its ability to deliver “secure remote access,” show recent surveys by security provider Xalient and HP Enterprise. All the while, the most widely used component being actively used by SASE customers is SSE, or secure services edge, shows the Xalient survey.
Edgy Trends
Within the rising tide of attacks targeting edge systems, the ConnectWise research unit observed and recorded some common trends in the tactics used. For example, many high-profile breaches have been traced back to edge devices running obsolete or outdated software, such as the Moveit vulnerability, which allowed attackers to exploit unpatched file transfer systems, leading to significant data breaches and financial losses.
Meanwhile, exposed remote access, such as through RDP gateways, VPNs, SSH and other remote capable services, are frequent targets for brute-force attacks, said ConnectWise. “Many attacks that targeted these services were perpetrated with compromised or default credentials. A notable example involved ransomware groups exploiting exposed RDP services to infiltrate a network and encrypt files,” said the report.
Misconfigured services likewise are a trending issue. That includes misconfigured firewalls, open ports and poorly secured cloud gateways that create opportunities for unauthorized access, said ConnectWise researchers. In one instance, a misconfigured Citrix appliance was exploited, enabling attackers to bypass authentication and gain administrative control over a network. And this year, many of the widely exploited vulnerabilities involved zero-day attacks targeting network edge technologies, showed the report.
Of course, it’s not just edge devices that are of concern; ConnectWise reported a mass exploitation of edge software. “Threat actors have increasingly targeted vulnerabilities in edge software such as Moveit, CitrixBleed, Cisco XE, Fortiguard’s FortiOS and Ivanti ConnectSecure,” said the MSP Threat Report. “These services, which are often exposed to the internet, are attractive entry points for attackers seeking initial network access.”
And not so surprisingly, threat actors have intensified attacks on edge platforms that lack traditional endpoint detection solutions. Attacks on IoT devices and OT devices surged due to their limited monitoring capabilities, showed the findings.
On the flip side of things, MSP face several challenges in the implementation of strong and secure edges for their customers. Arguably the fault of no one is the complexity of today’s environments. “The convergence of on-premises, cloud and IoT systems creates a complex environment that can be difficult to monitor and secure,” ConnectWise researcher pointed out. This can lead to a lack of awareness in which many organizations simply are unaware of the extent of their exposed services or the potential risks associated with misconfigurations, they continued.
Arguably a bit more controllable is the challenge of delayed patching. ConnectWise’s findings suggest that organizations often struggle to keep up with patches and updates for edge systems, leaving them vulnerable to known exploits. Also somewhat controllable are the weak or reused credentials on exposed services such as RDP and SSH that remain a major risk, with the lack of basic multifactor authorization (MFA) compounding that risk, explained the report.
EDR Emergencies
Even when it seems as if proper measures have been taken, MSPs and their customers must remain more diligent than ever on the edge. Say, for example, an endpoint detection and response (EDR) solution is in place, providing network administrators with some level of confidence.
“As attackers increasingly targeted edge devices to breach networks, their post-compromise activities often revealed a focus on disabling or evading detection tools such as EDR solutions,” warned the MSP Threat Report.
In 2024, the ConnectWise research unit observed a surge in the use of sophisticated EDR evasion techniques and purpose-built “EDR-killer” tools designed to undermine endpoint defenses. “These tools were pivotal in enabling attackers to maintain persistence, escalate privileges and move laterally undetected,” said the researchers.
The focus on EDR evasion stems from an increasing reliance of organizations on these tools for protection, said ConnectWise researchers. Threat actors have recognized that neutralizing EDR systems not only facilitates initial access but also ensures the persistence and stealth necessary for long-term campaigns.
Early EDR tools, ConnectWise researchers explained, lacked the more robust defenses and anti-tampering mechanisms we often see today, allowing adversaries to primarily rely on a few straightforward techniques to evade these early EDR agents. But as EDR vendors recognized these weaknesses and began hardening their solutions with kernel-level monitoring, improved behavioral analysis and stricter anti-tamper controls, threat actors pivoted to leveraging “bring your own vulnerable driver” (BYOVD) and other kernel exploits that allowed them to neutralize EDR at a deeper level.
A particularly alarming trend, noted the research report, is the growing prevalence of tools and techniques specifically designed to disable or manipulate EDR solutions. These EDR killers aim to neutralize defensive mechanisms before executing their payloads, with methods ranging from tampering with EDR configurations to exploiting vulnerabilities within the solutions themselves.
One emerging tactic involves exploiting kernel-level vulnerabilities, said ConnectWise researchers. Because EDR solutions often operate at the kernel level to gain deep visibility into endpoint activities, any vulnerabilities in this layer present significant risks.
“Once compromised, attackers can effectively blind the EDR system, ensuring that their activities go undetected,” said the MSP Threat Report. “Additionally, many EDR killers employ reflective loading to inject malicious code into processes without creating new files or altering existing ones, making their activities even more challenging to detect.”
Of course, in the never-ending game of cat-and-mouse, EDR vendors continually enhance their products to counteract the latest evasion techniques. But it’s also always crucial for MSPs to ensure timely patching of edge appliance operating systems, ConnectWise researchers warned.
“The threats outlined above emphasize the critical importance of proactive patch management and robust security monitoring in MSP environments,” they continued. “As threat actors continue to develop more sophisticated techniques and target high-impact platforms and devices, MSPs must be diligent and comprehensive in their defense strategies to mitigate risks effectively.”
