Next Article in Journal
Towards Sustainable AI: Benchmarking Energy Efficiency of Deep Neural Networks for Resource-Constrained Edge Devices
Next Article in Special Issue
Extending Taxonomies and Mapping P2P Credit Card Fraud (Carding) Forums on the Dark Web
Previous Article in Journal
DTWICA: A Novel Method for Constructing Character Templates in Imaginary Handwriting
Previous Article in Special Issue
Cybersecurity Digital Twins for Industrial Systems: From Literature Synthesis to Framework Design
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Information
Volume 17
Issue 4
10.3390/info17040378
information-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Qualitative Synthesis of Cyberattack Trends in Managed Service Providers: Analyzing Multi-Tenant Vulnerabilities and Mitigation Strategies

by
Shiva Ram Neupane
1,2,
Neeraj Shrestha
1,2 and
Weiqing Sun
2,*
1
Business IT Services, Crumbacher Business, Inc., 2907 Agua Fria St., Santa Fe, NM 87507, USA
2
Master’s Programs in Cyber Security, College of Engineering, University of Toledo, 2801 Bancroft St., Toledo, OH 43606, USA
*
Author to whom correspondence should be addressed.
Information 2026, 17(4), 378; https://doi.org/10.3390/info17040378
Submission received: 18 February 2026 / Revised: 1 April 2026 / Accepted: 10 April 2026 / Published: 17 April 2026
(This article belongs to the Special Issue Security and Privacy Approaches Against Cyber Threats: Innovations, Challenges, and Practical Solutions)
Browse Figures
Versions Notes

Abstract

Managed Service Providers (MSPs) have increasingly become prime targets for cyberattacks due to their privileged access across multiple client environments. Utilizing a qualitative thematic synthesis and an Open-Source Intelligence (OSINT) methodology, this study examines a purposive sample of major MSP-targeted cyber incidents from 2020 to 2025 to identify common attack patterns, exploited vulnerabilities, and operational impacts on downstream clients, particularly small and medium-sized businesses. Analysis of publicly reported incidents reveals a clear trend toward attacks leveraging centralized management platforms, remote access tools, and multi-tenant architectures, resulting in cascading disruptions from limited initial compromise. The synthesis highlights extortion-driven ransomware, supply chain compromises, and the exploitation of unpatched edge devices as dominant threats. To counter these systemic risks, this study outlines contextualized mitigation strategies such as zero trust principles, strict identity controls, tenant isolation, and continuous monitoring tailored to balance security requirements with MSP operational constraints. While these strategies are evidence-informed and grounded in observed trends, they remain proposed solutions that require further empirical validation. The findings emphasize the critical need for proactive, collaborative security practices among MSPs, clients, and regulators to manage evolving cyber threats effectively.

Graphical Abstract

1. Introduction

Managed Service Providers (MSPs) are external firms that oversee IT operations, infrastructure, and security for numerous clients using centralized systems [1]. MSPs play an increasingly critical role in the modern information technology landscape by delivering outsourced IT services such as network management, endpoint security, cloud administration, and incident response [1]. For small- and medium-sized businesses (SMBs), MSPs offer an attractive alternative to maintaining in-house IT teams, providing access to technical expertise, predictable costs, and scalable infrastructure. As digital transformation accelerates, SMBs face growing pressure to adopt complex technologies while operating under constrained budgets and limited security resources [1]. Consequently, outsourcing IT operations to MSPs has become a dominant strategy for maintaining competitiveness and operational resilience. However, the same characteristics that make MSPs appealing, centralized management, remote administrative access, and standardized tooling, also introduce unique cybersecurity challenges [2]. MSPs often manage multiple client environments simultaneously, creating shared dependencies and expanding the potential blast radius of a single compromise (Figure 1). Research has shown that their dependence on shared operationally efficient multi-tenant environments and high-level access increases risk if those privileges are exploited [1].
While MSPs are designed to improve operational efficiency, their service models are primarily driven by uptime guarantees, service level agreements (SLAs), and rapid issue resolution. This focus on keeping systems running comes from the ’SLA Dilemma’, where security is hard to measure, so providers prioritize uptime to avoid breaking contracts [3]. Security controls, particularly those that may disrupt availability or require additional investment, can become secondary priorities. As a result, MSP-managed organizations may experience heightened cybersecurity exposure despite outsourcing IT operations to specialized providers. Recent incident data suggests that MSP-managed SMBs are increasingly targeted not due to individual organizational weaknesses, but because of structural efficiencies that attackers can repeatedly exploit at scale [4]. Understanding these recurring attack patterns is therefore critical to improving third-party risk management and securing outsourced IT environments.

1.1. Objective

This study aims to bridge the gap between generalized cybersecurity guidance and the unique architectural risks inherent to MSP environments. The specific objectives of this research are twofold:
  • To analyze and synthesize a curated dataset of recent MSP cyberattacks (2020–2025): By utilizing an OSINT-derived, qualitative methodology, this study aims to identify and categorize a taxonomy of recurring threat vectors.
  • To recommend contextualized, MSP-specific mitigation strategies: By directly mapping observed attack patterns to actionable defensive frameworks designed to reduce the blast radius of downstream client compromise, balancing security requirements with MSP operational constraints.

1.2. Research Gap and Contribution

While cyber threats evolve at a rapid pace, peer-reviewed academic research detailing specific, modern cyberattacks, particularly those occurring between 2020 and 2025, remain sparse due to the inherent delays of the academic publishing cycle. Furthermore, corporate entities face significant incentives to suppress or underreport the technical details of cyber breaches to mitigate reputational and financial damage, avoid litigation, and reduce regulatory exposure [5,6]. Because this reporting reluctance restricts the flow of verifiable data into traditional academic channels, peer-reviewed studies often rely on older, heavily sanitized datasets. Consequently, to capture the most current threat landscape targeting managed IT infrastructure, researchers must increasingly rely on Open-Source Intelligence (OSINT) and real-time threat reporting.
Within the existing peer-reviewed literature, past studies have extensively documented the broader challenges of third-party risk management and software supply chain attacks. Foundational research has highlighted the cascading impacts of supply chain cyber vulnerabilities [7], evaluated the feasibility of detecting supply chain intrusions [8], and analyzed high-profile cases such as the SolarWinds incident [9]. Concurrently, cybersecurity literature has traced the evolution of extortion tactics from simple file encryption to double-extortion and ransomware-as-a-service (RaaS) models operating across global criminal ecosystems [10,11]. Furthermore, studies on complex IT outsourcing arrangements highlight the inherent compliance challenges and high-density attack surfaces created when organizations rely on external service providers [3,12]. This literature frequently discusses the “agency problem” in IT outsourcing, noting that a situation of information asymmetry often exists where clients (principals) struggle to verify the hidden security actions of their outsourced vendors (agents) [13,14].
However, these bodies of work share a fundamental limitation: they analyze third-party cyber risk through the lens of either traditional single-enterprise perimeter defense or generic software supply chain models. Prior studies rarely conceptualize Managed Service Providers (MSPs) as centralized administrative nodes with privileged access across dozens or hundreds of independent client organizations simultaneously. This distinction is not merely conceptual: it determines the blast radius of a single compromise and fundamentally changes the risk calculus for both service providers and their downstream clients. Consequently, generic frameworks fail to account for the unique structural risks of the modern MSP operating model; namely, the weaponization of highly privileged Remote Monitoring and Management (RMM) tools, shared multi-tenant architectures, and SLA-driven operational pressures that can systematically deprioritize security investments. This analytical lag leaves a void in the literature regarding the rapid evolution of identity-based extortion tactics currently targeting MSPs.
This paper addresses this gap through three specific contributions. First, it utilizes OSINT and a systematic thematic synthesis approach [15] to curate and analyze a dataset of MSP-targeted incidents spanning 2020 to 2025, producing a structured taxonomy of recurring attack vectors unique to MSP multi-tenant environments. Second, it explicitly connects these observed attack patterns to the structural vulnerabilities of the MSP service delivery model. Third, it translates these findings into contextualized, MSP-specific mitigation strategies that address the operational tension between security controls and SLA obligations, a dimension consistently absent from existing generic best-practice guidance.

1.3. Methodology

This study employs a qualitative thematic synthesis approach to examine cyberattack trends targeting Managed Service Providers (MSPs) between 2020 and 2025. Due to the inherent delay in traditional academic publishing and the operational secrecy surrounding corporate cyber incidents, peer-reviewed literature documenting recent, specific MSP breaches is limited. Consequently, this research relies on a systematic collection of open-source intelligence (OSINT) and industry threat intelligence reports to capture the most current threat landscape affecting MSP environments.
To ensure a structured and transparent incident selection process, a multi-stage screening protocol was developed to identify, filter, and select relevant case studies.

1.3.1. Search Strategy and Data Sources

Data collection was driven by a hybrid search strategy combining academic literature review with Open-Source Intelligence (OSINT) analysis. Academic databases (primarily Google Scholar and IEEE Xplore) were searched to identify peer-reviewed analyses of MSP vulnerabilities and third-party risk, while OSINT techniques were used to systematically identify documented cyber incidents affecting MSP infrastructure.
A systematic OSINT search was conducted across surface web indices, academic databases, and high-fidelity gray literature sources. These sources included official advisories from the Cybersecurity and Infrastructure Security Agency (CISA), national data protection authorities, CVE databases, and primary threat intelligence reports (e.g., Mandiant, Sophos, and CrowdStrike).
To systematically aggregate open-source data, the search utilized the following Boolean query structure: (“Managed Service Provider” OR “MSP” OR “IT Service Provider” OR “Remote Monitoring and Management”) AND (“Cyberattack” OR “Ransomware” OR “Data Breach” OR “Supply Chain Compromise” OR “Vulnerability” OR “Security Incident”) AND (“2020” OR “2021” OR “2022” OR “2023” OR “2024” OR “2025” OR “2026”).
To ensure evidentiary reliability, a source hierarchy was applied during data collection, mapping source types to the evidentiary confidence ratings. Very High confidence was assigned to Primary Sources (Level 1), including official vendor security advisories (e.g., Kaseya, Citrix), CISA/FBI alerts, and regulatory filings. High confidence was assigned to High-Fidelity Threat Intelligence (Level 2) from established firms (e.g., Mandiant, CrowdStrike, Sophos) to triangulate operational details. Medium confidence was assigned to Secondary Sources (Level 3), such as cybersecurity news outlets, used for chronological context or when primary documentation was unavailable. In such cases, technical claims were explicitly labeled as suspected or unconfirmed to preserve the analytical rigor. Data for the ten case studies were triangulated across these tiers to ensure technical accuracy, with specific confidence ratings for each incident documented.

1.3.2. Inclusion and Exclusion Criteria

To filter the search results, incidents were evaluated against the following strict inclusion criteria:
  • Target: The initial compromise must have directly targeted an MSP, its centralized management infrastructure (e.g., RMM, remote gateways), its hosted cloud environments, or any shared operational platform that triggered an overall cascading effect on multiple downstream clients as a direct result of the MSP breach.
  • Impact: The attack must have demonstrated a downstream impact, directly or indirectly compromising multiple MSP client organizations (specifically SMBs).
  • Timeframe: The incident must have occurred and been publicly disclosed between 2020 and 2025.
  • Data Richness: Recognizing that full technical disclosure of corporate cyber incidents is rare, incidents were included if there was sufficient actionable intelligence available across multiple sources. This required, at minimum, verifiable public reporting on the general attack vector (e.g., exploitation of a known vulnerability, credential compromise), the suspected threat actor, and a confirmed downstream operational impact.
Incidents were excluded if they targeted individual enterprises without involving an MSP intermediary, if the MSP was merely an incidental victim without downstream client impact, or if the nature of the breach remained entirely undisclosed.

1.3.3. Incident Selection and Data Extraction

To ensure a rigorous and reproducible selection process, this study employed a structured, multi-stage screening protocol. While the nature of Open-Source Intelligence (OSINT) and the fragmentation of corporate disclosures preclude a definitive census of all global incidents, this research utilized a purposive sampling strategy designed to identify information-rich cases that illustrate recurring architectural vulnerabilities.
The selection followed a three-stage funnel:
  • Identification: An initial broad-spectrum search of surface web indices, CISA advisories, and threat intelligence repositories using the Boolean strings defined in Section 1.3.1 yielded 345 unique records related to IT service provider security events between 2020 and 2025.
  • Screening: Records were screened for relevance to the MSP delivery model, resulting in the exclusion of most of these records (n = 235). Primary reasons for exclusion at this stage included duplicate reports of the same event (n = 120), “advisory-only” publications or general security tips that did not describe a specific incident (n = 85), and direct enterprise breaches where no MSP intermediary was involved (n = 30).
  • Eligibility and Final Selection: The remaining 110 candidate incidents were evaluated against the inclusion criteria (Section 1.3.2). A total of 82 incidents were excluded because they lacked sufficient technical data, such as undisclosed access vectors (n = 62), or lacked confirmed downstream impact on SMB clients (n = 20).
Of the remaining eligible pool of 28 candidates, a final cohort of 10 documented MSP cyberattacks was deliberately selected. This sample size was deemed sufficient to achieve thematic saturation, ensuring the final dataset represented a diverse cross-section of modern MSP threat vectors, including Remote Monitoring and Management (RMM) exploitation, credential-based session hijacking, and zero-day edge-device vulnerabilities across varied threat actor profiles (e.g., REvil, Akira, Space Bears).
For each of the 10 selected incidents, data were extracted using a standardized template capturing the following fields: Year, Target MSP, Primary Attack Type, Initial Access Vector/CVE, Operational Impact (Downstream Clients), Threat Actor, and Exploited MSP Architectural Trait.

1.3.4. Coding and Analysis Workflow

The identification and screening of incidents (Section 1.3.1, Section 1.3.2 and Section 1.3.3) were conducted collaboratively by two authors to ensure comprehensive search coverage. For the final cohort of 10 incidents, the same two authors independently performed the initial coding and data extraction to reduce individual analytical bias. This phase utilized open coding to categorize technical vectors and architectural vulnerabilities.
Following the independent review, the researchers met to harmonize their findings and resolve discrepancies in technical classification through a consensus-based discussion. A key part of this process involved reconciling the distinction between credential abuse (e.g., the exploitation of unsecured RDP services in the Tigo Business incident) and identity-based session hijacking (e.g., the abuse of ‘Citrix Bleed’ session tokens observed in the CTS and HTC Global Services cases). The final thematic structure and resulting taxonomy (Section 3) were then reviewed and validated by the third author. This inter-coder validation process ensured that the findings were grounded in a consistent and objective interpretation of the OSINT data.

1.3.5. Thematic Synthesis and Trend Identification

Following the selection and coding of the 10 case studies, the data were analyzed using the thematic synthesis approach defined by Thomas and Harden [15]. This process involved a structured transition from the raw technical data to the identification of systemic cybersecurity trends through three distinct analytical phases:
  • Phase 1 (Line-by-Line Coding): Building on the initial extraction in Section 1.3.4, the researchers performed a detailed review of each incident report to identify specific technical findings (e.g., “CVE-2023-4966 exploitation” or “RMM script deployment”).
  • Phase 2 (Development of Descriptive Themes): These codes were grouped into descriptive categories based on their technical commonalities, such as “Initial Access Vectors” and “Downstream Impacts.”
  • Phase 3 (Generation of Analytical Themes): In the final stage, the researchers moved beyond the descriptive data to infer the broader “Analytical Themes” that characterize the modern MSP threat landscape. This led to the synthesis of the four dominant trends detailed in Section 3 and further contextualized in Section 4: (1) Exploitation of Centralized Management Infrastructure, (2) Abuse of Privileged Access and Identity Mechanisms, (3) Multi-Tenant Architectures and Cascading Failure, and (4) Ransomware as the Dominant Attack Outcome.
This approach allowed the study to bridge the gap between specific technical failures and the structural vulnerabilities inherent in the MSP service delivery model. While the analyzed incidents do not represent the entire population of cyberattacks, this synthesis provides the technical depth required to enable a meaningful qualitative comparison of recurring attack mechanisms.

2. Case Studies of Recent MSP Managed Attacks (2020–2025)

Between 2020 and 2025, several high-profile cyberattacks demonstrated how MSPs have become attractive targets for threat actors seeking to maximize operational impact through a single point of compromise. These incidents illustrate how attackers exploit centralized management platforms, multi-tenant architectures, and elevated administrative privileges inherent to MSP operating models to gain access to multiple downstream client environments simultaneously. Rather than targeting individual organizations in isolation, adversaries increasingly leverage MSP infrastructure as a force multiplier, enabling large-scale disruption across numerous client networks, including small- and medium-sized businesses (SMBs).

2.1. Cognizant Maze Ransomware Attack

In April 2020, multinational IT services provider Cognizant confirmed that a security incident affecting its internal systems resulted in service disruptions for multiple clients, identifying the cause as a Maze ransomware attack [16,17]. The company disclosed that its internal security teams, supported by external cyber defense firms, were actively working to contain the incident and had engaged law enforcement authorities as part of the response effort [16,17].
Cognizant began notifying clients by email and provided a preliminary list of Indicators of Compromise (IOCs), enabling affected organizations to monitor their own environments and take defensive actions [16,17,18]. Security researchers reported that the attackers likely maintained persistent access within Cognizant’s network for weeks, during which time they moved laterally, harvested administrator credentials, and potentially exfiltrated sensitive data prior to encryption [18]. Although the Maze ransomware group publicly denied responsibility, forensic evidence strongly suggested Maze involvement, including YARA rules, IP addresses, and file extensions consistent with known Maze campaigns [18]. Such public denials are not uncommon in ransomware operations and do not necessarily contradict technical attribution based on tooling, infrastructure, and behavioral indicators. Maze ransomware is notable for employing double extortion tactics, combining file encryption with the theft and threat of public disclosure of stolen data if ransom demands are not met [17,18].
Given Cognizant’s role as a global managed IT and professional services provider serving clients in over 80 countries, the incident highlighted the systemic risk posed by ransomware attacks on MSPs, where disruption to a single provider can cascade across numerous downstream organizations [17]. The attack underscored how MSPs’ centralized access, privileged credentials, and operational dependency make them high-value targets for sophisticated ransomware groups [17,18].

2.2. REvil MSP Supply Chain Ransomware Attack

In July 2021, the REvil ransomware group executed a widespread supply chain attack by exploiting previously unknown vulnerabilities in Kaseya’s Virtual System Administrator (VSA) platform [19]. This attack primarily targeted MSPs that utilized Kaseya VSA to remotely monitor and manage client networks, allowing the attackers to propagate ransomware to downstream organizations [19,20]. These occurrences highlight a breakdown in ’Complex Outsourcing Relationships,’ where the interconnectedness of service delivery tools results in a high-density attack surface that conventional boundary-focused security measures are unable to safeguard [12].
The breach began when the attackers leveraged zero-day flaws in Kaseya VSA servers to gain unauthorized administrative access. This allowed them to bypass authentication controls and deploy malicious scripts through the platform’s management automation features. The malware was then distributed rapidly to MSP clients, encrypting files across hundreds of systems in multiple sectors. Several MSPs were significantly affected, including Fleming IT, ConnectWise MSPs, and other regional service providers. Through these compromised MSPs, the ransomware reached their respective clients, amplifying the scope of disruption. Organizations impacted ranged from small businesses to medium enterprises, many of whom experienced immediate operational downtime, encrypted critical data, and the disabling of backup recovery features [19,21].
The ransomware, identified as part of the REvil family, encrypted systems and demanded payment to restore access. Investigations revealed that Kaseya had previously been notified of the vulnerabilities under a coordinated disclosure process, but patches were not yet deployed when the attackers exploited the window. REvil’s operation demonstrated the high-risk potential of centralized IT management tools as vectors for cascading ransomware attacks [19].

2.3. NetStandard MSP Cyberattack

In July 2022, NetStandard, a Kansas-based managed service provider (MSP), experienced a cyberattack that forced the shutdown of its MyAppsAnywhere cloud environment, which hosted Microsoft Exchange, SharePoint, Dynamics GP, CRM, and related services for multiple client organizations [22,23]. The attack was first identified at approximately 11:30 a.m. CDT on 26 July 2022, after NetStandard detected suspicious activity within the MyAppsAnywhere environment and initiated incident response procedures to isolate the threat and prevent lateral spread [22,23].
As a result, hosted services were taken offline, customer access was disrupted, and NetStandard’s public website also became temporarily unavailable, indicating broader operational impact beyond the hosted application environment [22,23]. Although NetStandard did not publicly disclose technical details, security researchers suggested the attack vector may have involved exploitation of a remote code execution (RCE) vulnerability in unpatched Microsoft Exchange servers, potentially including CVE-2021-31206 [24]. As NetStandard did not issue a detailed technical post-mortem, this specific access vector remains unconfirmed and is included as supplementary context based on the consistent industry reporting.
The attack was suspected to be ransomware related, consistent with prior campaigns targeting MSPs to gain centralized access to multiple downstream client networks through shared infrastructure and privileged administrative control [23]. NetStandard engaged its cyber insurance provider and a third-party incident response firm, hosted recurring customer briefings, and coordinated recovery efforts while services remained offline [22,23].

2.4. Lumen Technologies Cyberattacks

In March 2023, Lumen Technologies, a global telecommunications and managed services provider, publicly reported two distinct cybersecurity incidents that affected separate portions of its infrastructure [25]. Although the attacks were limited in scope, they demonstrated how even segmented service environments within large service providers can be exposed to targeted intrusions.
The first incident involved the deployment of ransomware on a restricted set of servers supporting a segmented hosting platform. This environment served a limited number of enterprise customers, and the attack resulted in reduced performance and temporary service degradation for those clients. Lumen indicated that the affected systems were isolated from its broader network, which helped prevent widespread disruption. While operational impacts were observed, the company stated that the incident was not expected to materially affect long-term service delivery or overall business performance [25,26].
In parallel, Lumen identified a separate intrusion involving unauthorized access to portions of its internal IT environment. In this case, the attacker engaged in exploratory activity, including system reconnaissance and the installation of malicious software, before extracting a small volume of data. The discovery of this intrusion was attributed in part to recently deployed security monitoring enhancements, which enabled the organization to detect anomalous behavior within its internal systems [25,26].
Following the identification of both incidents, Lumen initiated containment and recovery procedures, engaging external digital forensics specialists and coordinating with law enforcement and regulatory authorities. Affected customers were notified, and continuity measures were activated to restore the impacted services. Investigations were launched to assess the technical and operational consequences of each attack, as well as to strengthen defensive controls across the organization’s infrastructure [26].

2.5. CTS Cyber Attack

In November 2023, CTS, a UK-based managed service provider specializing in IT services for the legal sector, experienced a significant cybersecurity incident that disrupted operations across a large number of its client organizations. As CTS delivers centralized IT and case management services to law firms, the attack resulted in widespread service outages that affected day-to-day legal operations, including delays in legal transactions and property sales [25].
Public reporting indicated that the intrusion was linked to the exploitation of CVE-2023-4966, commonly referred to as CitrixBleed [25,27,28]. This vulnerability affects Citrix NetScaler application delivery controllers and gateways and arises from a flaw in session management within the web-based administrative interface. By abusing this weakness, attackers can maintain authenticated sessions without valid credentials, effectively bypassing authentication controls, including multi-factor authentication. Once access is obtained, adversaries are able to escalate privileges, move laterally within the environment, and potentially deploy ransomware or exfiltrate sensitive data [29].
The CTS incident demonstrated how vulnerabilities in widely deployed remote access and management technologies can have cascading effects in MSP-managed environments. Because CTS supported a multi-tenant client base, the compromise of its infrastructure had downstream consequences for a large number of law firms simultaneously. Estimates from industry and media sources suggested that between 80 and 200 legal organizations were impacted, underscoring the scale amplification effect inherent in MSP targeted attacks [30].
Following the attack, CTS initiated incident response procedures and engaged an external cyber forensics firm to investigate the breach and assist with recovery efforts. While the company communicated regularly with affected clients, it was unable to provide a definitive timeline for the full-service restoration during the initial stages of the incident. The breach was also reported to the UK Information Commissioner’s Office (ICO), reflecting potential regulatory and data protection implications [30].

2.6. HTC Global Services Data Breach

In December 2023, HTC Global Services, a global provider of IT services and business consulting, disclosed a cybersecurity incident following public claims by the ALPHV (BlackCat) ransomware group that had accessed and exfiltrated company data. The disclosure came after the threat actors released samples of information they alleged were obtained from HTC’s internal systems, drawing attention to a potential compromise of the organization’s infrastructure [25].
The data associated with the incident reportedly included personal identification documents, internal emails, contact records, and confidential corporate files. The public release of this material indicated that the intrusion involved data exfiltration, consistent with extortion-focused ransomware activity. At the time of disclosure, HTC stated that the incident was under investigation and that the specific attack vector had not yet been definitively confirmed [25].
Initial reporting suggested that the compromise may have involved exploitation of the Citrix NetScaler vulnerability known as Citrix Bleed (CVE-2023-4966) [27,28]. This flaw enables attackers to hijack active user sessions by manipulating session handling within Citrix application delivery infrastructure, allowing unauthorized access without valid credentials. Such access can facilitate credential harvesting, lateral movement, and prolonged persistence within enterprise networks. In this case, the affected system was believed to be a Citrix NetScaler device associated with HTC’s CareTech business unit [29].
The attack was attributed to the ALPHV ransomware group, also referred to as BlackCat, which has been active since 2021 and is widely considered a continuation of earlier ransomware operations such as DarkSide and BlackMatter. The group operates using a ransomware-as-a-service model and is known for combining data theft with encryption and extortion. Despite prior law enforcement disruptions, ALPHV has continued to claim responsibility for attacks targeting large, globally distributed organizations [31].

2.7. Südwestfalen IT Ransomware Attack

In October 2023, Südwestfalen IT, a regional information technology provider serving municipal administrations in western Germany, was impacted by a ransomware incident that disrupted digital services across dozens of local governments. The organization supports more than seventy municipalities, and the attack resulted in extensive service interruptions that affected both internal administrative functions and citizen-facing platforms [25].
Following the compromise, Südwestfalen IT reported that critical systems had been rendered inaccessible after servers within its infrastructure were encrypted. To limit further spread of the malware, connections between the provider’s data centers and municipal networks were severed. This containment measure led to widespread outages, leaving many town halls without access to core applications, websites, email systems, and telephony services. As a result, local administrations were forced to suspend online services and, in some cases, cancel scheduled appointments with residents [32].
Investigations linked the attack to the Akira ransomware group, which has been associated with similar operations against public sector organizations [33]. In response, Südwestfalen IT initiated a coordinated incident response effort that included forensic examinations of affected systems and a structured assessment of customer environments. Restoration activities focused first on essential municipal functions, though officials indicated that complete service recovery would take considerable time. Interim solutions were expected to be deployed gradually to restore limited operational capacity [25,32].
The consequences of the attack were intensified by its timing, as it occurred near the end of the month when municipal administrations typically process financial transactions. This raised concerns regarding potential delays to payroll operations, social benefit distributions, and other public payments. German cybersecurity authorities and law enforcement agencies were notified and began parallel investigations to evaluate the scope of the incident and determine accountability [25,32].

2.8. Tietoevry Ransomware Attack

In January 2024, Tietoevry, a major Nordic provider of IT, cloud, and managed services, experienced a ransomware incident that disrupted services delivered from one of its data centers in Sweden. Although the attack was technically confined to a single facility, the consequences were widespread due to Tietoevry’s role as a critical service provider for public sector and enterprise customers across Sweden [25]. The incident occurred during the night of 19–20 January and was later attributed to the Akira ransomware group, a threat actor known for targeting managed service providers and enterprise infrastructure. The compromised environment supported multiple customer-facing platforms, including systems used by government agencies, universities, healthcare entities, and private sector organizations. One of the most significantly affected services was Primula, a payroll and human resources platform relied upon by Swedish universities and numerous government authorities, illustrating how dependencies on shared MSP infrastructure can magnify the impact of a single attack [34].
Tietoevry responded by isolating the affected systems to prevent further spread and confirmed that other parts of its infrastructure remained operational. However, despite containment efforts, many customer services have experienced prolonged outages. Public reporting indicated disruptions across diverse sectors, including public administration, healthcare, finance, retail, and entertainment, emphasizing the cross-sector risk posed by MSP-targeted ransomware incidents [34].
The attack formed part of a broader trend of Akira ransomware activity observed in Finland and neighboring regions throughout 2023 and into early 2024. This pattern suggests an increased strategic focus by ransomware groups on MSPs and shared service providers, where a single compromise can affect dozens of downstream organizations simultaneously [33].

2.9. Tigo Business Attack

In January 2024, Tigo Business, a major telecommunications and cloud service provider in Paraguay, experienced a large-scale ransomware incident that resulted in significant disruption to its managed services infrastructure. The attack led to the encryption of approximately 300–330 servers within Tigo’s data center environment, causing widespread service outages for more than 300 downstream client organizations that relied on Tigo for web hosting, cloud storage, and related managed services [19]. As a result, affected clients reported loss of access to websites, email services, backups, and business critical data [19].
The attack was attributed by multiple cybersecurity observers and local media reports to the Black Hunt ransomware group, an actor that emerged in late 2022 and has primarily targeted organizations in South America. Black Hunt is known for conducting ransomware campaigns following initial network compromise and for threatening to exfiltrate and sell victim data on underground markets. While Tigo publicly disputed attribution to the Black Hunt group and stated that consumer-facing services were not affected, independent cybersecurity experts and affected clients reported characteristics consistent with Black Hunt’s known tactics [35].
Available reporting indicates that the initial access vector for the attack involved exposed or unsecured Remote Desktop Protocol (RDP) services. Following access, the attackers executed a series of actions consistent with ransomware deployment, including clearing Windows event logs, deleting NTFS shadow copies, disabling system restore functionality, and terminating endpoint protection services such as Microsoft Defender. These actions were performed to impede detection, hinder recovery efforts, and increase pressure on victims to pay ransom demands [19]. In the absence of a formal forensic disclosure from Tigo, the RDP-based entry mechanism remains unconfirmed and is included based on the consistent secondary intelligence.

2.10. Vertel Managed Service Provider Ransomware Attack

In June 2025, Vertel, an Australian-based managed service provider delivering ICT and telecommunications services, confirmed it was the victim of a ransomware attack conducted by the Space Bears ransomware group. The incident was publicly disclosed on 18 June 2025 after Vertel was listed on the group’s ransomware leak site, where the attackers claimed to have exfiltrated SQL databases, client personal data, and financial documents [36].
Vertel began responding to the incident on 13 June 2025 and engaged external cybersecurity firms, including CyberCX and Atmos, to support forensic investigation and containment efforts. The company also coordinated with relevant government authorities to determine the scope and nature of the breach, including whether sensitive client data had been accessed or stolen. Vertel stated that its core service delivery remained operational, and that affected customers would be notified directly as the investigation progressed [36,37].
While Vertel did not publicly disclose the initial access vector, the attack followed a pattern consistent with credential-based compromise or exploitation of externally exposed remote access services, which are common entry points in MSP-targeted ransomware campaigns. Following initial access, the attackers reportedly conducted data exfiltration prior to encryption, consistent with double extortion ransomware tactics. Space Bears threatened to publish the stolen data by the end of June if ransom demands were not met [37]. It must be acknowledged that because this was a mid-2025 incident, full forensic details are still emerging; therefore, its inclusion serves as a preliminary, forward-looking observation of the ongoing trajectory of MSP-targeted extortion.

3. Findings/Trend Synthesis

The thematic synthesis of the 10 purposively selected MSP incidents (2020–2025) reveals a clear and sustained shift in attacker focus on service providers as high-impact compromise points. MSPs often operate under a principal–agent problem, prioritizing uptime and Service Level Agreements (SLAs) while neglecting less visible security measures [13]. By cross-analyzing the extracted data fields from Table 1, recurring technical, organizational, and architectural weaknesses emerged. These observations have been synthesized into four dominant attack patterns and systemic risk factors.
Quantitatively, the synthesis of the curated dataset (Table 1) reveals that ransomware, or extortion, was the primary objective in 90% (9 of 10) of the incidents. Furthermore, the exploitation of remote access gateways or unpatched edge devices served as the initial access vector in at least 40% of the confirmed cases, while 100% of the selected incidents resulted in a multi-tenant blast radius affecting downstream SMBs.
In all case studies, threat actors demonstrated an understanding of MSP operating models and systematically exploited the structural characteristics that allow MSPs to deliver services on a scale. These characteristics of centralized administration, shared infrastructure, and elevated privileges consistently translated into amplified attack impact when abused. These findings directly address the first objective by highlighting recurring attack patterns and exploited vulnerabilities in MSP-managed environments.

3.1. Exploitation of Centralized Management Infrastructure

A recurring finding across all analyzed incidents is the targeting of centralized management platforms that provide MSPs with broad control over client environments. This pattern was observed across diverse incidents, including Kaseya VSA, CTS, HTC Global Services, and Tietoevry, where trusted administrative platforms were transformed into high-speed malware distribution mechanisms. Technologies such as remote access gateways, remote monitoring and management (RMM) tools, and application delivery controllers served as frequent entry points for attackers. Vulnerabilities in these systems, including zero-day flaws and session handling weaknesses, enabled adversaries to bypass authentication controls and gain persistent access to MSP environments.
Once compromised, these platforms were used as distribution mechanisms rather than merely access points. Attackers leveraged legitimate administrative features to deploy ransomware, execute scripts, and propagate malicious payloads across multiple tenants simultaneously. This pattern was particularly evident in supply chain attacks, where trusted software update or automation functions were repurposed for malicious activity.

3.2. Abuse of Privileged Access and Identity Mechanisms

In MSP contexts, identity compromise effectively collapses network segmentation boundaries, converting what would otherwise be a localized breach into a systemic, multi-organization exposure. The case studies also highlight consistent abuse of identity and access management weaknesses within MSP ecosystems. Attackers frequently relied on compromised credentials, session hijacking, or inadequate enforcement of multi-factor authentication to obtain administrative access. In several incidents, valid authenticated sessions were exploited to maintain persistence without triggering security controls.
Because MSP administrative accounts typically possess elevated privileges across numerous client networks, credential compromise resulted in immediate, wide-ranging exposure. This finding underscores the disproportionate risk associated with identity failures in MSP environments compared to single organization breaches.

3.3. Multi-Tenant Architectures and Cascading Failure

Another prominent trend is the cascading impact caused by multi-tenant MSP architecture. For MSPs, these cascading failures are especially serious because their networks connect multiple client subnets, so a breach in the provider’s network can quickly spread harmful effects to many clients [39]. Unlike traditional enterprise breaches, where impact is largely confined to a single organizational boundary, MSP incidents exhibit nonlinear escalation, where the failure of shared infrastructure simultaneously disrupts dozens or hundreds of independent entities. In each incident, compromise of shared infrastructure led to simultaneous disruption across many downstream organizations. Even when attacks were technically isolated to a single data center or service segment, service dependencies resulted in widespread outages affecting diverse sectors, including legal services, public administration, healthcare, education, and telecommunications.
Small- and medium-sized businesses were particularly affected, as many relied entirely on MSP-managed platforms for core operations. The inability of downstream clients to operate independently during MSP outages significantly magnified the business and societal impact of each incident.

3.4. Ransomware as the Dominant Attack Outcome

From an adversarial perspective, MSPs offer an asymmetric advantage, enabling attackers to maximize financial and operational leverage while minimizing initial access effort. Ransomware was the primary end goal in nearly all analyzed attacks. Threat actors combined encryption with data exfiltration and extortion tactics, increasing leverage over both MSPs and their clients. The use of automation, rapid deployment, and defensive evasion techniques such as disabling backups and security tools was consistent across cases, reflecting a high level of operational maturity. These findings indicate that ransomware groups increasingly view MSPs as strategic targets that maximize return on investment by enabling one-to-many victimization. This finding is further supported by the CrowdStrike State of Ransomware Survey 2025, which reveals a significant gap between perceived and actual ransomware readiness: 78% of organizations were attacked last year despite half feeling “very prepared,” and most experienced slow recovery or data loss. The survey emphasizes that paying ransoms often fails, repeat attacks are common, and evolving AI-driven threats demand modern protection and improved preparedness strategies [40].
Taken together, these findings demonstrate that MSP-targeted attacks represent a distinct threat category rather than a variation in traditional enterprise breaches. The combination of centralized control, privileged access, and client dependency transforms MSP incidents into systemic events with economic, operational, and societal consequences. Addressing this risk requires security models that prioritize identity hardening, tenant isolation, and resilience by design rather than perimeter-focused defenses.

4. Discussion

4.1. Observed Trends and Risk Factors

Evolution of the Threat Landscape: While Managed Service Providers (MSPs) have been targeted by sophisticated actors prior to 2020, the period of 2020–2025 marks a distinct shift in the democratization and scale of these threats. In the pre-2020 era, large-scale multi-tenant compromises, such as the “Cloud Hopper” campaign documented by the Australian Cyber Security Centre (ACSC), were primarily the domain of advanced persistent threats (APTs) focused on long-term espionage [41]. However, the current landscape is characterized by the widespread adoption of Ransomware-as-a-Service (RaaS) and the systematic weaponization of RMM tools by financially motivated cybercriminals [1]. This has resulted in an increased frequency of “one-to-many” attacks targeting small- and medium-sized businesses (SMBs). A comprehensive longitudinal study comparing specific pre- and post-2020 datasets is beyond the current scope of this research; however, such a historical comparison represents a valuable future research direction. This shift toward professionalized, high-impact operations is reflected in the latest industry metrics.
Attackers are becoming smarter and more efficient every day, with cyber threats increasing across all fronts, according to the 2025 Verizon Data Breach Investigations Report. Ransomware now appears in 44% of breaches, disproportionately impacting small and mid-sized businesses, while third-party involvement doubled to 30%, exposing growing supply chain risk. Exploitation of edge devices and VPN vulnerabilities surged and nearly matched credential abuse as the top initial access vector, reflecting attackers’ focus on high-impact entry points. Human involvement remains a major factor in 60% of breaches through phishing, social engineering, and errors, increasingly enhanced by AI-assisted attacks. At the same time, espionage motivated breaches rose significantly, driven by geopolitical tensions, while slow patching and delayed secret remediation continue to give attackers a wider window of opportunity, reinforcing the need for stronger vulnerability management, access control, and third-party security practices [42].
The Sophos Annual Threat Report 2025 highlights that small and mid-sized businesses remain prime targets for cybercrime, with ransomware, compromised network edge devices, and business email compromise as the leading threats. Remote ransomware attacks, MFA phishing, social engineering, and evolving malware techniques are increasingly common, while adversaries exploit unpatched or misconfigured systems, including VPNs and firewalls. Emerging tactics involve AI-generated phishing, QR code attacks (“quishing”), and tools designed to bypass endpoint security. The report emphasizes defense in depth strategies: patching edge devices, deploying endpoint protection, using multi-factor authentication or passkeys, monitoring identity threats, and leveraging external audits to reduce exposure [43].
Narrowing down to MSPs, Huntress reports that 90% experienced at least one cybersecurity incident in the past year, underscoring how MSPs have become high-value targets due to their privileged access across multiple client environments. The sharp rise in ransomware activity further reinforces the need for MSPs to adopt proactive defenses, such as managed SOC services, continuous monitoring, and advanced threat detection, to minimize risk and limit blast radius [44].
The observed trends suggest that MSP-targeted attacks represent a structural evolution in cybercrime rather than isolated incidents. These industry-wide trends directly reinforce the patterns identified in Section 3, particularly the rise in MSPs as high-impact compromise points. By shifting focus from individual organizations to service providers, threat actors can exploit trust relationships and architectural centralization inherent in modern IT service delivery models. This approach reduces attacker effort while significantly increasing operational disruption.
The reliance on legitimate administrative tools and trusted management channels complicates detection and response efforts. Traditional perimeter-based defenses are less effective in MSP environments where attackers operate from within authenticated contexts. As a result, many intrusions progressed rapidly from initial access to full-service disruption before defenders could intervene.
The findings also highlight a growing asymmetry of risk for SMBs. While MSPs consolidate security management for efficiency and cost reduction, SMBs often lack visibility into MSP security practices and have limited ability to influence defensive controls. This gap is recognized as ‘Agency Problem’ in IT outsourcing; since the client (principal) finds it challenging to verify the ‘hidden actions’ of the MSP (agent), a situation of information asymmetry exists that prioritizes operational speed over thorough security checks [14]. This dependency creates a single point of failure where MSP compromise directly translates into widespread downstream impact.
Additionally, the repeated exploitation of known vulnerabilities and identity weaknesses indicates that technical flaws alone are not the sole driver of risk. Operational factors, including delayed patching, inconsistent MFA enforcement, and insufficient segmentation between client environments contribute significantly to attack success.
From a strategic perspective, the convergence of ransomware operations and supply chain compromise suggests that future attacks will increasingly target platforms responsible for identity management, cloud orchestration, and security tooling. As MSPs expand their role within client environments, the potential blast radius of a single breach continues to grow. These trends emphasize the need for proactive mitigation strategies, including zero-trust principles, continuous monitoring, and tenant isolation to manage emerging risks in MSP environments.

4.2. Mitigation Strategies for MSPs

Given the increasing frequency and sophistication of cyberattacks targeting Managed Service Providers and their downstream clients, implementing comprehensive mitigation strategies is essential to reduce operational disruption, safeguard sensitive data, and maintain trust. The following strategies combine technical, operational, and strategic measures, addressing both historical attack vectors and the systemic vulnerabilities inherent in MSP client relationships (Table 2).
Barriers to Adoption: While the technical controls outlined in this section are highly effective, small- and mid-sized MSPs face significant operational barriers to implementation. A primary challenge is the “SLA Dilemma,” where reconciling stringent security controls with guaranteed uptime remains difficult under existing contracts. Furthermore, deploying advanced architectures like Zero Trust across dozens of disparate SMB clients requires substantial financial investment and mature security personnel that many smaller providers currently lack. Consequently, the following strategies should be viewed as an ideal defensive roadmap that may require phased implementation.

4.2.1. Zero-Trust Architecture

Zero-Trust Architecture (ZTA) is a security framework that assumes no implicit trust for any user, device, or application and enforces continuous, context-aware authentication and authorization for every access request, regardless of network location [45]. Zero-Trust Architecture emerged in response to the limitations of traditional perimeter-based security models, which assume that internal networks and authenticated users are inherently trustworthy. Early trust evaluation frameworks and perimeter defenses failed to prevent lateral movement once an attacker gained initial access, a weakness increasingly exploited in modern cyberattacks. Zero trust addresses this gap by treating all network interactions as potentially hostile and by enforcing access decisions based on continuous verification of identity, device posture, and contextual risk rather than network location alone. Standardized guidance, most notably NIST Special Publication 800-207 [46], formalizes zero trust around dynamic policy enforcement, per session access decisions, and continuous monitoring of users, devices, and services across environments [47].
Implementing a zero-trust model ensures strict verification for all users, devices, and applications, enforcing least-privilege access across internal and client-facing systems. This approach reduces the risk of lateral movement and limits potential damage if credentials are compromised. In high-profile MSP breaches such as the 2021 Kaseya ransomware attack, zero-trust principles could have contained the spread of malware across multiple client networks. For MSPs, scaling Zero Trust across dozens of downstream SMBs requires implementing strict Identity-Aware Proxies (IAPs) and micro-segmentation at the tenant level. Rather than trusting the MSP’s centralized RMM tool by default, a Zero-Trust approach forces the RMM agent to continuously re-authenticate and verify its device posture before executing administrative scripts on a client’s endpoint.

4.2.2. Multi-Factor Authentication (MFA) and Privileged Access Management (PAM)

Multi-Factor Authentication (MFA) is an identity verification mechanism that requires users to present two or more independent authentication factors such as something they know, something they have, or something they are; before access is granted [48]. By reducing reliance on single-factor credentials, MFA significantly limits the effectiveness of credential theft techniques commonly used in phishing, brute force, and credential stuffing attacks [48]. Privileged Access Management (PAM) complements MFA by controlling, monitoring, and auditing access to high-value systems and administrative accounts. PAM solutions are designed to manage privileged credentials through capabilities such as password vaulting, secrets management, and privileged session monitoring, ensuring that elevated access is granted only when necessary and is fully auditable [49]. By enforcing least privilege principles, credential rotation, and session oversight, PAM reduces the risk associated with long lived administrative credentials and insider misuse [49].
Enforcing MFA for all administrative and client accounts, coupled with regular audits and control of privileged access, strengthens identity security and significantly reduces the likelihood of credential abuse. Past incidents, including VPN and email compromise attacks, demonstrate that weak or single-factor authentication often enables rapid attacker access. Within MSP environments, where centralized management platforms and shared administrative accounts are common, the combination of MFA and PAM can directly mitigate these entry points by limiting unauthorized access, constraining attacker privileges, and providing visibility into suspicious administrative activity. However, in an MSP context, generic MFA and standard PAM deployments remain insufficient if session tokens can be hijacked across boundaries. For example, the exploitation of session tokens observed in the CTS and HTC Global incidents (Section 2.5 and Section 2.6) highlights how attackers bypass perimeter MFA, requiring robust PAM to contain the breach. To prevent this, MSPs must utilize PAM solutions specifically architected for multi-tenant environments, ensuring that highly privileged administrative credentials used by helpdesk technicians are vaulted, restricted to Just-in-Time (JIT) access, and prevented from moving laterally between different SMB clients.

4.2.3. Patch Management and System Hardening

Patch management is the structured process of applying vendor-issued updates to software and hardware to remediate vulnerabilities and maintain secure system operation [50]. It involves inventorying assets, monitoring for updates, prioritizing critical patches, testing, deploying, and documenting changes [50]. System hardening complements patch management by reducing attack surfaces through secure configurations, disabling unnecessary services, enforcing secure defaults, limiting exposed interfaces, and applying baseline security standards. Hardening strengthens operating systems, servers, networks, applications, and endpoints, helping prevent both initial access and post compromise exploitation [51].
Within MSP-managed environments, centralized administration and shared tooling amplify the impact of patching failures. A single unpatched edge device, remote access gateway, or management platform can provide attackers with privileged access across multiple downstream clients. The suspected exploitation of unpatched Exchange servers in the NetStandard attack (Section 2.3) demonstrates how delayed patching in centralized hosting environments leads to immediate downstream compromise. Implementing automated patching schedules, continuous vulnerability scanning, and standardized system hardening baselines enables MSPs to reduce exposure to known exploits, limit attack propagation, and prevent cascading compromises across multi-tenant infrastructures. A unique challenge for MSPs is reconciling mandatory security patching with stringent client SLAs that guarantee maximum uptime. To resolve this tension, MSPs must establish “security-first SLAs” in their client contracts, explicitly outlining pre-approved maintenance windows for critical edge-device and RMM patching that supersede standard uptime guarantees during active zero-day threat windows.

4.2.4. Endpoint Protection and Continuous Monitoring

Endpoint protection involves securing client devices, servers, and other endpoints against malware, ransomware, and unauthorized access through antivirus, anti-malware, and behavioral threat detection tools. Continuous monitoring complements this by collecting and analyzing system and network activity in real time to detect anomalies, unusual behaviors, or early signs of compromise. EDR (Endpoint Detection and Response) continuously monitors endpoints to detect, investigate, and automatically respond to threats, while XDR (Extended Detection and Response) correlates data across endpoints, networks, cloud, and identity systems, providing a holistic view of multi-stage attacks [52,53].
In MSP-managed environments, where multiple clients rely on shared infrastructure, a single compromised endpoint can quickly propagate threats across networks. Deploying advanced endpoint protection alongside continuous monitoring, EDR, and XDR allows MSPs to detect ransomware, AI-assisted phishing, and fileless malware early, while automated containment minimizes impact. For instance, in the Tigo Business incident (Section 2.9), attackers successfully terminated standard endpoint protection services prior to ransomware deployment, illustrating the critical need for tamper-proof, continuously monitored XDR solutions. This proactive approach strengthens overall security posture, limits lateral movement, and ensures rapid response before incidents escalate. However, standard EDR deployed in isolation is inadequate for an MSP managing disconnected client environments. MSPs require Extended Detection and Response (XDR) platforms capable of cross-tenant telemetry ingestion, allowing the Security Operations Center (SOC) to instantly identify if malicious behavioral patterns such as ransomware encryption is occurring simultaneously across multiple independent SMB networks.

4.2.5. Employee Awareness Training and AI Phishing Mitigation

Human error remains a leading factor in security incidents [54]. Regular training for both MSP staff and client employees on phishing, social engineering, and emerging AI-driven attack techniques such as “quishing” (QR code phishing) and AI-assisted email scams helps teams recognize, report, and respond to threats before they escalate.
Programs should include simulated phishing exercises, interactive modules, and timely updates on new attack vectors. In multi-tenant environments, a single compromised account can provide attackers with access to multiple client networks, amplifying breach impact. By combining structured training with AI phishing mitigation strategies and integration with endpoint detection tools like EDR/XDR, organizations reduce credential compromise, limit lateral movement, and strengthen the human layer of defense. For MSPs, the “human firewall” extends beyond their own staff to encompass the employees of every client they manage. Training programs must specifically address “helpdesk spoofing,” where threat actors use AI to impersonate the MSP’s technicians in order to trick SMB employees into granting remote access or handing over credentials.

4.2.6. Network Segmentation and Tenant Isolation

Network segmentation involves dividing a network into isolated zones to control traffic flow and enforce access policies, while tenant isolation extends this principle in MSP environments by ensuring each client’s resources are logically separated from other clients and internal systems. Segmentation can be implemented at multiple levels, including macro segmentation for broad zones and micro segmentation for fine-grained workload control, using techniques such as VLANs, VXLANs, VRF, and software-defined networking [55].
In multi-tenant MSP architecture, proper segmentation and isolation significantly reduce the blast radius of a compromise. A breach in one client environment, whether due to ransomware, credential theft, or misconfigured access, cannot easily propagate to other clients or MSP internal systems. By limiting lateral movement, MSPs can contain threats, improve incident response, and prevent cross-tenant attacks, which have been observed in several historical MSP security incidents. Had strict tenant isolation been enforced during the Südwestfalen IT and Tietoevry incidents (Section 2.7 and Section 2.8), the ransomware would have been contained to a single affected subnet rather than paralyzing dozens of downstream municipalities and universities. Segmentation also enhances visibility, monitoring, and compliance, enabling IT teams to apply access controls, enforce Zero-Trust principles, and detect anomalous traffic in real time. Together with strict access management and tenant isolation, network segmentation strengthens overall MSP security posture, ensures regulatory compliance, and maintains client trust in shared infrastructure environments. Yet traditional macro-segmentation is insufficient for MSPs. Strict logical isolation must be enforced so that the MSP’s internal corporate network, the centralized RMM hosting environment, and each individual client subnet exist in entirely separate trust domains. This strict boundary ensures that the compromise of one SMB client does not provide an attacker with a pivot point upstream into the MSP’s management layer.

4.2.7. Third-Party Risk Management and External Security Audits

Managed Service Providers (MSPs) often rely on a network of vendors, partners, and software providers, introducing potential supply chain vulnerabilities. Rigorous third-party risk assessments, enforcement of contractual security requirements, and independent external audits are essential to enhance oversight and accountability. High-profile incidents demonstrate the consequences of weak third-party controls. In 2020, the SolarWinds supply chain attack involved threat actors inserting malicious code into a trusted software update, impacting thousands of organizations worldwide, including government agencies and private enterprises [56]. Similarly, attackers leveraged compromised credentials in Kaseya and Webroot remote monitoring and management (RMM) tools to distribute ransomware across multiple MSP client networks [21]. These examples illustrate that supply chain attacks are among the most significant threat vectors for MSPs, as vulnerabilities in partner systems can be exploited to gain unauthorized access, propagate malware, and amplify the impact of breaches across multiple client networks.
By systematically evaluating vendors’ security practices, monitoring compliance, and conducting periodic audits, MSPs can reduce the risk of third-party exploitation. Structured third-party management ensures that external dependencies do not become vectors for compromise, reinforcing overall network resilience and protecting client environments against cascading security incidents. MSPs face a compounded “fourth-party” risk: their clients rely on them, but the MSP relies heavily on upstream software vendors (such as Kaseya or Citrix). To mitigate this, MSPs must continuously audit their own software supply chain, demanding strict software bill of materials (SBOM) visibility and independent penetration testing results from the vendors providing their remote management platforms.

4.2.8. Incident Response Planning and Managed SOC Services

An Incident Response (IR) plan is a structured framework that guides an organization in managing cybersecurity incidents, focusing on limiting damage, reducing recovery time, and maintaining stakeholder confidence [57]. It defines roles, decision making processes, and escalation paths across business units to ensure coordinated action during breaches, helping prevent minor events from escalating into major incidents [57]. In parallel, a Security Operations Center (SOC) is an organizational unit that integrates people, processes, and technologies to detect, analyze, and respond to cyber threats, creating situational awareness and enhancing the organization’s overall security [58]. Together, IR plans and SOCs enable MSPs to rapidly contain incidents, coordinate responses across multi-tenant environments, and ensure regulatory compliance while minimizing operational impact. The Lumen Technologies incident (Section 2.4) demonstrated the value of this approach, as recently deployed security monitoring enhancements successfully detected exploratory attacker behavior, allowing for rapid containment before widespread disruption occurred.
Structured IR frameworks, supported by SOC operations, allow for rapid containment, isolation of affected systems, and mitigation of high-impact threats such as ransomware. Continuous monitoring, real-time threat intelligence, and regular simulation exercises improve situational awareness, shorten response times, and reduce operational downtime. Moreover, the integration of IR planning with SOC functions promotes internal and external coordination, ensuring communication across IT, business units, legal, and customer-facing teams, while maintaining relationships with external cybersecurity experts, law enforcement, and forensic services. This unified approach enhances decision making, clarifies roles and responsibilities, and minimizes the likelihood of single points of failure. Applying this unified approach is particularly critical because an MSP’s Incident Response (IR) plan is exponentially more complex than a standard enterprise’s, as it must orchestrate simultaneous communication and recovery efforts across dozens of affected clients, legal teams, and cyber insurance providers. A managed SOC function must possess “kill-switch” capabilities to instantly sever MSP-to-client connections the moment a systemic RMM breach is detected, sacrificing temporary uptime to prevent cascading ransomware deployment.
Collectively, these mitigation strategies establish a layered defense that addresses both technical vulnerabilities and operational gaps. By combining zero-trust principles, robust identity management, proactive monitoring, employee training, and strategic oversight, MSPs can reduce the likelihood and impact of successful cyberattacks. As service providers continue to consolidate IT functions for multiple clients, adopting a proactive, defense in depth posture is essential to protect both the MSP and its downstream SMB clients from emerging threats.

4.3. Empirical Evaluation Agenda

While the mitigation strategies proposed above are grounded in observed attack patterns and industry best practices, they remain theoretically derived from our qualitative synthesis. To avoid implying empirical effectiveness without rigorous validation, future research must systematically evaluate these controls in live or simulated MSP environments. An empirical evaluation agenda should include:
  • Quantitatively measuring ransomware propagation speed across segmented versus unsegmented multi-tenant testbeds,
  • Assessing the operational latency introduced by Identity-Aware Proxies (IAPs) and JIT PAM on helpdesk SLA metrics, and
  • Conducting randomized controlled trials of AI-phishing awareness training specifically targeting “helpdesk spoofing” among MSP technicians.

5. Conclusions

This study examined recent cyberattacks targeting Managed Service Providers (MSPs) to identify common attack patterns, exploited vulnerabilities, and emerging risks in MSP-managed environments. The analysis relies on a hybrid OSINT methodology and a purposive sample of publicly reported incidents. While this approach effectively captures high-impact threat trends, it likely underrepresents the full scope of smaller-scale MSP-targeted attacks, suggesting that actual systemic risks may be even greater than observed. Furthermore, by implementing a source hierarchy and confidence labeling, this research maintains transparency regarding the inherent data constraints of open-source intelligence, explicitly flagging unconfirmed technical details where primary forensic disclosures were unavailable. The reviewed cases highlight a clear trend toward MSP-focused attacks that leverage centralized management platforms, privileged access, and multi-tenant architectures to achieve large-scale disruption from limited initial compromises.
The findings confirm that MSPs have become high-value targets for ransomware groups and other threat actors seeking to impact multiple organizations simultaneously. Exploitation of remote management tools, identity systems, and shared infrastructure consistently caused cascading operational failures, particularly affecting small- and medium-sized businesses. By analyzing attack patterns, vulnerabilities, and operational impacts, this study successfully met its objectives and assessed emerging risks in MSP environments.
Looking ahead, the continued expansion of MSP responsibilities into cloud services, identity management, and security operations is likely to further increase attacker interest. Mitigating these risks will require a shift toward proactive security strategies that emphasize zero-trust principles, strong identity and access controls, tenant isolation, and continuous monitoring of administrative activity. The mitigation strategies proposed in this study, grounded in industry best practices and observed attack patterns, have not yet been empirically validated, but offer a practical foundation for future research and application.
Ultimately, effectively addressing MSP-targeted cyber threats demands coordinated efforts among service providers, clients, and regulators. Strengthening controls, improving transparency, and fostering shared accountability are essential to reduce the systemic risk posed by MSP compromises and to safeguard the broader business ecosystem from far-reaching operational and economic impacts.

Author Contributions

Conceptualization, S.R.N.; methodology, S.R.N. and N.S.; software, S.R.N. and N.S.; validation, S.R.N., N.S. and W.S.; formal analysis, S.R.N. and N.S.; investigation, S.R.N. and N.S.; resources, S.R.N. and N.S.; data curation, S.R.N. and N.S.; writing—original draft preparation, S.R.N.; writing—review and editing, W.S., S.R.N. and N.S.; visualization, S.R.N.; supervision, W.S.; project administration, W.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

Authors Shiva Ram Neupane and Neeraj Shrestha were employed by the company Crumbacher Business, Inc. The remaining author declares that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
MSPManaged Service Provider
SMBSmall- and Medium-Sized Business
IRIncident Response
SOCSecurity Operations Center
SLAService Level Agreement
DBIRData Breach Investigations Report
FTCFederal Trade Commission
CISACybersecurity and Infrastructure Security Agency
ENISAEuropean Union Agency for Cybersecurity
RMMRemote Management Tool
IOCIndicator of Compromise
VSAVirtual System Administrator
RCERemote Execution Code
ICOInformation Commissioner’s Office
CVECommon Vulnerabilities and Exposures
RDPRemote Desktop Protocol
ZTAZero-Trust Architecture
MFAMulti-Factor Authentication
PAMPrivileged Access Management
VLANVirtual Local Area Network
VXLANVirtual Extensible Local Area Network
VRFVirtual Routing and Forwarding
EDREndpoint Detection and Response
XDRExtended Detection and Response
ITInformation Technology
OSINTOpen-Source Intelligence
IAPsIdentity-Aware Proxies
JITJust-in-Time

References

  1. Cybersecurity and Infrastructure Security Agency. Protecting Against Cyber Threats to Managed Service Providers and their Customers. CISA, AA22-131A. 2022. Available online: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-131a (accessed on 7 February 2026).
  2. Waltermire, K.; Perper, H. Improving Cybersecurity of Managed Service Providers (Supporting Small- and Medium-Sized Businesses). NIST. 2019. Available online: https://csrc.nist.gov/pubs/pd/2019/10/08/improving-cybersecurity-of-managed-service-provide/ipd (accessed on 19 December 2025).
  3. Bachlechner, D.; Thalmann, S.; Maier, R. Security and Compliance Challenges in Complex IT Outsourcing Arrangements: A Multi-Stakeholder Perspective. Comput. Secur. 2014, 40, 38–59. [Google Scholar] [CrossRef]
  4. Sivesind, C. Report: Why Managed Service Providers Are Now Ground Zero for Attacks. Available online: https://www.secureworld.io/industry-news/managed-service-providers-ground-zero (accessed on 29 January 2026).
  5. Amir, E.; Levi, S.; Livne, T. Do firms underreport information on cyber-attacks? Evidence from capital markets. Rev. Account. Stud. 2018, 23, 1177–1206. [Google Scholar] [CrossRef]
  6. Lydon, L. Corporate Under Reporting of Cybercrime: Why Does Reporting to Authorities Matter; Royal Holloway University of London: London, UK, 2022; Available online: https://www.royalholloway.ac.uk/media/20531/laurelydonisg.pdf (accessed on 15 March 2026).
  7. Kshetri, N.; Voas, J. Supply Chain Trust. IT Prof. 2019, 21, 6–10. [Google Scholar] [CrossRef]
  8. Wang, X. On the Feasibility of Detecting Software Supply Chain Attacks. In Proceedings of the MILCOM 2021–2021 IEEE Military Communications Conference (MILCOM); IEEE: San Diego, CA, USA, 2021; pp. 458–463. [Google Scholar] [CrossRef]
  9. Peisert, S.; Schneier, B.; Okhravi, H.; Massacci, F.; Benzel, T.; Landwehr, C.; Mannan, M.; Mirkovic, J.; Prakash, A.; Michael, J.B. Perspectives on the SolarWinds Incident. IEEE Secur. Priv. 2021, 19, 7–13. [Google Scholar] [CrossRef]
  10. Oz, H.; Aris, A.; Levi, A.; Uluagac, A.S. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Comput. Surv. 2022, 54, 238. [Google Scholar] [CrossRef]
  11. Connolly, L.Y.; Wall, D.S. The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures. Comput. Secur. 2019, 87, 101568. [Google Scholar] [CrossRef]
  12. Khan, G.M.; Khan, S.U.; Khan, H.U.; Ilyas, M. Challenges and practices identification in complex outsourcing relationships: A systematic literature review. PLoS ONE 2022, 17, e0262710. [Google Scholar] [CrossRef] [PubMed]
  13. Lacity, M.C.; Sauer, C.; Willcocks, L.P. (Eds.) Outsourcing and Offshoring Business Services, 1st ed.; Springer International Publishing: Berlin/Heidelberg, Germany; Palgrave Macmillan: London, UK, 2017. [Google Scholar] [CrossRef]
  14. Qi, C.; Chau, P.Y.K. Relationship, contract and IT outsourcing success: Evidence from two descriptive case studies. Decis. Support Syst. 2012, 53, 859–869. [Google Scholar] [CrossRef]
  15. Thomas, J.; Harden, A. Methods for the thematic synthesis of qualitative research in systematic reviews. BMC Med. Res. Methodol. 2008, 8, 45. [Google Scholar] [CrossRef] [PubMed]
  16. Cognizant Security Incident Update. News|Cognizant Technology Solutions. Available online: https://news.cognizant.com/2020-04-18-cognizant-security-update (accessed on 7 February 2026).
  17. Cluley, G. IT Services Giant Cognizant Hit by Maze Ransomware Attack. Hot for Security. Available online: https://www.bitdefender.com/en-us/blog/hotforsecurity/it-services-giant-cognizant-hit-by-maze-ransomware-attack (accessed on 7 February 2026).
  18. Zitter, L. Incident of the Week: Cognizant Attacked by Maze. Cyber Security Hub. Available online: https://www.cshub.com/attacks/articles/incident-of-the-week-cognizant-attacked-by-maze (accessed on 7 February 2026).
  19. Vakulov, A. Managed Service Providers in Cyber Attacks. Cyber Security Hub. Available online: https://www.cshub.com/attacks/articles/managed-service-providers-a-gateway-for-cyber-attacks (accessed on 26 January 2026).
  20. Cybersecurity and Infrastructure Security Agency. CISA-FBI Guidance for MSPs and Their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack. CISA, AA21-185A. 2021. Available online: https://www.cisa.gov/news-events/alerts/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa-supply-chain-ransomware-attack (accessed on 7 February 2026).
  21. Vijayan, J. Customers of 3 MSPs Hit in Ransomware Attacks. Dark Reading. Available online: https://www.darkreading.com/cyberattacks-data-breaches/customers-of-3-msps-hit-in-ransomware-attacks (accessed on 28 January 2026).
  22. Kovar, J.F.; Fairfield, C.J. Apparent Cyberattack Hits MSP NetStandard|CRN. CRN. Available online: https://www.crn.com/news/managed-services/msp-netstandard-sees-hosted-services-compromised (accessed on 7 February 2026).
  23. Abrams, L. Kansas MSP Shuts Down Cloud Services to Fend Off Cyberattack. BleepingComputer. Available online: https://www.bleepingcomputer.com/news/security/kansas-msp-shuts-down-cloud-services-to-fend-off-cyberattack/ (accessed on 7 February 2026).
  24. Zurier, S. Exchange Vulnerability May Have Led to Attack on NetStandard MSP, Researchers Say. SC Media. Available online: https://www.scworld.com/news/exchange-vulnerability-may-have-led-to-attack-on-netstandard-msp-researchers-say (accessed on 7 February 2026).
  25. Williams, D. Top 5 MSP Cyberattacks in 2023/2024|BlackFog. BlackFog. Available online: https://www.blackfog.com/top-5-msp-cyberattacks-in-2023-2024/ (accessed on 27 January 2026).
  26. Lahiri, A. Lumen Faces 2 Ransomware Attacks, Working with Experts to Evaluate and Minimize Impact-Lumen Technologies (NYSE:LUMN). Benzinga. Available online: https://www.benzinga.com/news/23/03/31512889/lumen-faces-2-ransomware-attacks-working-with-experts-to-evaluate-and-minimize-impact (accessed on 27 January 2026).
  27. National Vulnerability Database. CVE-2023-4966 Detail. NIST, 2023. Available online: https://nvd.nist.gov/vuln/detail/CVE-2023-4966 (accessed on 7 February 2026).
  28. Cybersecurity and Infrastructure Security Agency. Guidance for Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed. CISA, 2023. Available online: https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed (accessed on 7 February 2026).
  29. Williams, D. LockBit Ransomware Affiliates Leverage Citrix Bleed Vulnerability (CVE-2023-4966)|BlackFog. BlackFog. Available online: https://www.blackfog.com/lockbit-ransomware-affiliates-leverage-citrix-bleed-vulnerability-cve-2023-4966/ (accessed on 27 January 2026).
  30. Gatlan, S. Cyberattack on IT Provider CTS Impacts Dozens of UK Law Firms. BleepingComputer. Available online: https://www.bleepingcomputer.com/news/security/cyberattack-on-it-provider-cts-impacts-dozens-of-uk-law-firms/ (accessed on 27 January 2026).
  31. Williams, D. The Top 10 Ransomware Groups of 2023|BlackFog. BlackFog. Available online: https://www.blackfog.com/the-top-10-ransomware-groups-of-2023/ (accessed on 27 January 2026).
  32. Antoniuk, D. Massive Ransomware Attack Hinders Services in 70 German Municipalities. The Record. Available online: https://therecord.media/massive-cyberattack-hinders-services-in-germany (accessed on 27 January 2026).
  33. Robb, B. The State of Ransomware in 2023|BlackFog. BlackFog. Available online: https://www.blackfog.com/the-state-of-ransomware-in-2023/ (accessed on 27 January 2026).
  34. Labus, H. Tietoevry Ransomware Attack Halts Swedish Organizations. Help Net Security. Available online: https://www.helpnetsecurity.com/2024/01/22/tietoevry-ransomware/ (accessed on 25 January 2026).
  35. Paraguay Ciberseguro Reporta Ataque de Ransomware a una Telefonía Local. Última Hora. Available online: https://www.ultimahora.com/paraguay-ciberseguro-confirma-ataque-de-ransomware-a-telefonia (accessed on 28 January 2026).
  36. Acronis Threat Research Unit. MSP Cybersecurity News Digest, 24 June 2025. Acronis. Available online: https://www.acronis.com/en/tru/posts/msp-cybersecurity-news-digest-june-24-2025/ (accessed on 7 February 2026).
  37. Hollingworth, D. Exclusive: Aussie MSP Vertel Confirms Space Bears Ransomware Attack. Cyber Daily. Available online: https://www.cyberdaily.au/security/12262-exclusive-aussie-msp-vertel-confirms-space-bears-ransomware-attack (accessed on 7 February 2026).
  38. Richardson, R.; North, M. Ransomware: Evolution, Mitigation and Prevention. Int. Manag. Rev. 2017, 13, 10–21. [Google Scholar]
  39. Sun, G.; Chen, C.-C.; Bin, S. Study of Cascading Failure in Multisubnet Composite Complex Networks. Symmetry 2021, 13, 523. [Google Scholar] [CrossRef]
  40. CrowdStrike State of Ransomware Survey. CrowdStrike, Survey. 2026. Available online: https://www.crowdstrike.com/explore/crowdstrike-content/2025-report-crowdstrike-ransomware-survey (accessed on 28 January 2026).
  41. Australian Cyber Security Centre (ACSC). Investigation Report: Compromise of an Australian Company via Their Managed Service Provider. ACSC, 2018. Available online: https://www.cyber.gov.au/sites/default/files/2023-03/msp_investigation_report.pdf (accessed on 7 February 2026).
  42. 2025 Data Breach Investigations Report. Verizon Business. Available online: https://www.verizon.com/business/resources/reports/dbir/ (accessed on 28 January 2026).
  43. Gallagher, S. The Sophos Annual Threat Report: Cybercrime on Main Street 2025. Sophos. Available online: https://www.sophos.com/blog/the-sophos-annual-threat-report-cybercrime-on-main-street-2025 (accessed on 28 January 2026).
  44. Danielson, L. The State of MSP Cybersecurity: Attack Trends and Key Statistics. Huntress. Available online: https://www.huntress.com/msp-guide/msp-statistics (accessed on 28 January 2026).
  45. Syed, N.F.; Shah, S.W.; Shaghaghi, A.; Anwar, A.; Baig, Z.; Doss, R. Zero Trust Architecture (ZTA): A Comprehensive Survey. IEEE Access 2022, 10, 57143–57179. [Google Scholar] [CrossRef]
  46. Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. Zero Trust Architecture; NIST SP 800-207; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [CrossRef]
  47. Shore, M.; Zeadally, S.; Keshariya, A. Zero Trust: The What, How, Why, and When. Computer 2021, 54, 26–35. [Google Scholar] [CrossRef]
  48. Grassi, P.A.; Fenton, J.L.; Newton, E.M.; Perlner, R.A.; Regenscheid, A.R.; Burr, W.E.; Richer, J.P.; Lefkovitz, N.B.; Danker, J.M.; Choong, Y.-Y.; et al. Digital Identity Guidelines: Authentication and Lifecycle Management; NIST SP 800-63b; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2017. [CrossRef]
  49. Garbis, J.; Chapman, J.W. Privileged Access Management. In Zero Trust Security: An Enterprise Guide; Garbis, J., Chapman, J.W., Eds.; Apress: Berkeley, CA, USA, 2021; pp. 155–161. [Google Scholar] [CrossRef]
  50. Souppaya, M.; Scarfone, K. Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology; NIST SP 800-40r4; National Institute of Standards and Technology (U.S.): Gaithersburg, MD, USA, 2022. [CrossRef]
  51. Ross, R.; Winstead, M.; McEvilley, M. Engineering Trustworthy Secure Systems; NIST SP 800-160v1r1; National Institute of Standards and Technology (U.S.): Gaithersburg, MD, USA, 2022. [CrossRef]
  52. Kaur, H.; Sanjaiy Sl, D.; Paul, T.; Kumar Thakur, R.; Kumar Reddy, K.V.; Mahato, J.; Naveen, K. Evolution of Endpoint Detection and Response (EDR) in Cyber Security: A Comprehensive Review. E3S Web Conf. 2024, 556, 01006. [Google Scholar] [CrossRef]
  53. George, D.A.S.; George, A.H.; Baskar, T.; Pandey, D. XDR: The evolution of endpoint security solutions-superior extensibility and analytics to satisfy the organizational needs of the future. Int. J. Adv. Res. Sci. Commun. Technol. (IJARSCT) 2021, 8, 493–501. [Google Scholar] [CrossRef]
  54. Gyunka, B.A.; Christiana, A.O. Analysis of human factors in cyber security: A case study of anonymous attack on HBGary. Comput. Inf. Syst. 2017, 21, 10–18. [Google Scholar]
  55. Chandramouli, R. Secure Virtual Network Configuration for Virtual Machine (VM) Protection; NIST SP 800-125B; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2016. [CrossRef]
  56. Cybersecurity and Infrastructure Security Agency. Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A. 2021. Available online: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a (accessed on 7 February 2026).
  57. Bailey, T.; Brandley, J.; Kaplan, J. How good is your cyber incident response plan. McKinsey Bus. Technol. 2013, 31, 16–23. [Google Scholar]
  58. Vielberth, M.; Bohm, F.; Fichtinger, I.; Pernul, G. Security Operations Center: A Systematic Study and Open Challenges. IEEE Access 2020, 8, 227756–227779. [Google Scholar] [CrossRef]
Information 17 00378 g001
Figure 1. Conceptual View of Attacker Operations in Multi-Tenant SMB Environments.
Figure 1. Conceptual View of Attacker Operations in Multi-Tenant SMB Environments.
Information 17 00378 g001
Table 1. MSP Attack Analysis Overview.
Table 1. MSP Attack Analysis Overview.
YearTargetAttack TypeAccess VectorImpactActorMSP TraitsSourceSource Confidence
2020Cognizant (Global)Ransomware and Data ExfiltrationUnconfirmed credential compromise/internal accessDisruption of IT services for multiple clients; data exfiltrationMazeCentralized IT delivery; privileged access; global client base[16,17,18]Very High
2021Kaseya MSP ClientsSupply Chain RansomwareZero-day vulnerabilities in Kaseya VSACascading ransomware across hundreds of systems; disabled backupsREvilAutomated deployment; multi-tenant architecture[8,12,19,20,21]Very High
2022NetStandard (USA)Suspected RansomwareUnconfirmed Exchange RCE (CVE-2021-31206)Hosted cloud services offline; localized outageUnknownManaged cloud services; multi-tenant environment[22,23,24]Medium
2023Lumen TechnologiesRansomware and IntrusionInternal network intrusionReduced performance, temporary outagesUnknownSegmented service environments; centralized management[25,26]Very High
2023CTS (UK)Exploitation/RansomwareCitrix Bleed (CVE-2023-4966)Disruption of legal operations across 80–200 firmsUnknownMulti-tenant architecture; elevated privileges[25,27,28,30]Very High
2023HTC Global ServicesRansomware and Data ExfiltrationUnconfirmed Citrix Bleed (CVE-2023-4966)Exposure of sensitive corporate/client dataALPHVElevated privileges; multi-tenant environment[25,27,28,31]Very High
2023Südwestfalen IT (Germany)RansomwareNot publicly specifiedOutages across 70+ municipalitiesAkiraShared infrastructure; operational dependency[25,32,33]High
2024Tietoevry (Sweden)RansomwareNot publicly specifiedDisruption of payroll/HR across public sector clientsAkiraCritical service dependency; multi-tenant[25,33,34,38]Very High
2024Tigo Business (Paraguay)RansomwareUnconfirmed exploitation of unsecured RDPEncryption of 330 servers; 300+ clients offlineBlack HuntWeak access controls; large client base[19,35]Medium
2025Vertel (Australia)Ransomware and Data ExfiltrationCredential compromise/remote access exploitationPotential exposure of SQL databases/client dataSpace BearsCentralized service management; multi-tenant aggregation[36,37]Very High
Table 2. Mitigation Mapping to Observed MSP Attack Patterns.
Table 2. Mitigation Mapping to Observed MSP Attack Patterns.
Observed Attack Pattern (Section 3)Proposed Control (Section 4.2)MSP Implementation DetailExpected Effect on Blast Radius
Abuse of Privileged Access and Identity MechanismsZero Trust, PAM, and Phishing AwarenessIdentity-Aware Proxies; Vaulted Just-in-Time (JIT) admin credentials; training against AI helpdesk spoofing.Prevents lateral movement across tenant boundaries if an MSP tech account is compromised.
Exploitation of Centralized Management InfrastructurePatch Management and XDR Monitoring“Security-first SLAs” overriding uptime for edge devices; Cross-tenant telemetry ingestion.Enables early detection of simultaneous multi-client encryption; patches edge-gateways faster.
Multi-Tenant Architectures and Cascading FailureNetwork Segmentation and Tenant IsolationStrict logical isolation between the RMM host, corporate network, and client subnets.Contains ransomware to a single subnet; severs the supply chain pivot point.
Supply Chain and Third-Party CompromiseVendor Audits and Incident Response/SOCSBOM visibility demands; automated RMM “kill-switch” orchestrated by the managed SOC.Sacrifices temporary uptime to sever infected upstream links before malware pushes downstream.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Neupane, S.R.; Shrestha, N.; Sun, W. A Qualitative Synthesis of Cyberattack Trends in Managed Service Providers: Analyzing Multi-Tenant Vulnerabilities and Mitigation Strategies. Information 2026, 17, 378. https://doi.org/10.3390/info17040378

AMA Style

Neupane SR, Shrestha N, Sun W. A Qualitative Synthesis of Cyberattack Trends in Managed Service Providers: Analyzing Multi-Tenant Vulnerabilities and Mitigation Strategies. Information. 2026; 17(4):378. https://doi.org/10.3390/info17040378

Chicago/Turabian Style

Neupane, Shiva Ram, Neeraj Shrestha, and Weiqing Sun. 2026. "A Qualitative Synthesis of Cyberattack Trends in Managed Service Providers: Analyzing Multi-Tenant Vulnerabilities and Mitigation Strategies" Information 17, no. 4: 378. https://doi.org/10.3390/info17040378

APA Style

Neupane, S. R., Shrestha, N., & Sun, W. (2026). A Qualitative Synthesis of Cyberattack Trends in Managed Service Providers: Analyzing Multi-Tenant Vulnerabilities and Mitigation Strategies. Information, 17(4), 378. https://doi.org/10.3390/info17040378

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop