Insights

Executive Summary On May 29, 2025, ConnectWise publicly disclosed a cybersecurity breach targeting its ScreenConnect remote access platform. The attack, attributed to a sophisticated nation-state threat actor, compromised a limited number of customer environments. ConnectWise has since engaged cybersecurity firm Mandiant, implemented network hardening, and has not observed further suspicious activity. This incident underscores the persistent targeting of Managed Service Providers (MSPs) and their tools by advanced adversaries, with potential implications across multiple customer environments and critical infrastructure sectors. Incident Overview Impacted Organization:ConnectWise, a provider of IT management and remote access tools, including ScreenConnect. Date of Disclosure:May 29, 2025 Type of Incident:Cyberattack linked to a nation-state threat actor Impacted System:Cloud-hosted instances of ScreenConnect Discovery:The breach was discovered internally by ConnectWise, prompting an immediate investigation in collaboration with Mandiant. Technical Details Suspected Attack Vector:While ConnectWise has not confirmed the exploit used, the security community has pointed to the possible use of…

Collecting logs isn't security. And having a tool doesn't mean you're protected. What matters is what you do with that information-and how fast you act on it. The Implementing SIEM and SOAR Platforms: Executive Guidance makes it clear: visibility without intelligence is noise. Automation without expertise is dangerous. SIEM and SOAR systems only provide value when they're properly implemented, expertly tuned, and continuously managed. That's where Critical Path Security's Managed Security Operations Center (MSOC) steps in-powered by our AI-driven enrichment engine and the Léargas XDR platform. What Our MSOC Does Differently 24/7 Threat MonitoringWe continuously monitor your systems using battle-tested detection logic and threat intelligence-so you don't miss critical alerts while your team sleeps. AI-Powered Enrichment with MCP ServersOur Multi-modal Command Processor (MCP) servers provide deep enrichment, cross-log correlation, and narrative-driven alerting, which dramatically reduce investigation time and analyst fatigue. Integrated Léargas XDRWith Léargas XDR, visibility spans across endpoints, identities,…

In our latest interview with Ryan Vargas, we got a firsthand look at what's fuelling his drive this season-upcoming races, continued team growth, and the strong foundation built through our ongoing partnership with Critical Path Security. All Eyes on Chicago and Canada Ryan shared his excitement about the next stops on the schedule: Chicago and Canada. With travel plans in motion and preparations underway, the team is dialed in for what promises to be a high-stakes stretch of the season. These events offer not just track time, but the chance to go head-to-head with some of the best in the business. A Dream Realized at CTMP One standout on the calendar? Canadian Tire Motorsport Park (CTMP). For Ryan, this race carries personal significance. "CTMP has always been on my bucket list," he told us. "To finally get the chance to race there is huge-it's something I've looked forward to for…

On May 21, 2025, CISA and international cybersecurity authorities issued CSA AA25-141A, attributing a sophisticated espionage campaign to GRU Unit 26165 (APT28/Fancy Bear). These operations have targeted logistics and IT support organizations involved in foreign aid to Ukraine. Zeek Threat Intelligence Feed - Download Summary of Threat Campaign APT28 uses diverse tactics to infiltrate and persist in networks, combining spearphishing, zero-day exploitation, credential attacks, and post-exploitation frameworks to exfiltrate sensitive operational data. Common Techniques Used: Initial Access Credential stuffing and brute-force attacks via Tor and commercial VPNs Spearphishing with links to spoofed login pages Exploitation of CVEs, including: CVE-2023-23397 (Outlook NTLM hash leak) CVE-2023-38831 (WinRAR exploit) Roundcube CVEs: 2020-12641, 2020-35730, 2021-44026 Lateral Movement & Persistence Deployment of OpenSSH for command/control Use of native tools like Impacket, PsExec, Certipy, ADExplorer Lateral RDP access and NTDS.dit extraction Scheduled task creation with schtasks Data Collection & Exfiltration Abuse of mailbox permissions for persistent…