Malware in ConnectWise, Telecom Hacks, and MSPs' False Confidence in Cybersecurity

[00:00:02] It's Wednesday, June 25th, 2025, and I'm Dave Solt. Three things to know today. ConnectWise faces a crisis of trust as attackers exploit its signed software. MSPs are breached repeatedly, yet remain confident, and that's a problem. Telecom Hacks worsen amid alleged cover-ups, and vendors push new billing, platform, and AI tools. But are they keeping up? We'll talk about why these matter, and why we care. This is the Business of Tech.

[00:00:30] Threat actors have recently been exploiting the legitimate ConnectWise application to create and distribute malware, significantly increasing infections since March 2025. This manipulation stems from poor signing practices that allow malicious users to embed harmful code within signed applications, thus bypassing many security measures. Reports show a notable rise in the use of ConnectWise samples in phishing schemes, with numerous cases documented on platforms like Bleeping Computer and Reddit.

[00:00:58] Affected users often report unexpected remote connections and suspicious application behavior masquerading as legitimate software. A recent report from Gdata, a German-based security firm, states that this wave of software abuse started in March, and uses phishing emails to trick victims into installing malicious versions of ConnectWise that the vendor has legitimately signed.

[00:01:19] According to cybersecurity firm, the ConnectWise screen-to-play, the ConnectWise screen-connect remote access tool was the most commonly abused legitimate tool in 2024, accounting for 56% of all active threat reports involving remote access tools. Researchers have identified a tactic called authentic code stuffing, which allows attackers to modify software without invalidating its signature, creating a false appearance of legitimacy.

[00:01:44] This alarming trend has seen a surge in malicious campaigns linked to ConnectWise, matching the total number of such reports for all of 2024 within the just first five months of this year. And you might have heard about a recent report claiming a data breach involving over 16 billion credentials. It's been met with skepticism from cybersecurity experts who argue that there's little evidence to support such an extraordinary claim.

[00:02:07] The report, circulated by various media outlets, has been described as a mix of old data from multiple sources rather than a single unprecedented breach. According to Robert Lee, chief of research and head of faculty at the Sands Institute, the data consists of cumulative records collected over time and there are no verified files for researchers to examine. The director and global field chief information security officer at Sophos emphasized that similar claims have appeared in the past, often recycling previously stolen credentials.

[00:02:37] Cybersecurity experts warn that sensationalized reports can lead to complacency in addressing real security threats as attention shifts away from verified incidents toward exaggerated narratives. And per reporting in TechDirt, the salt typhoon hack continues to escalate, with major U.S. telecommunications companies reportedly instructing their incident response staff not to seek evidence of the intrusion.

[00:03:00] The directive comes as insiders reveal that the scale of the breach is far worse than initially reported, affecting companies like Comcast and Digital Reality alongside AT&T and Verizon. Last year, eight major telecoms were infiltrated by Chinese hackers, who managed to spy on U.S. officials for over a year. As the situation unfolds, it remains unclear whether government agencies have a consistent understanding of the attack's impact, with varying lists of potential victims causing confusion.

[00:03:28] Experts highlight that the deregulation of the telecom sector has removed incentives for companies to invest in security measures, leading to repeated breaches and a lack of accountability in the industry. A recent survey by CyberSmart shows that nearly 70% of managed service providers have faced multiple cyber breaches in the past year. Despite this worrying figure, 76% of MSP leaders expressed confidence in their organization's cybersecurity efforts.

[00:03:54] The survey, which collected insights from 900 MSP leaders across different countries, found that 47% experienced three or more breaches. Interestingly, while most MSPs demonstrate above average cybersecurity knowledge, 80% recognize the need to improve their defenses. Additionally, the survey revealed that only 39% of MSPs feel well-equipped to guide customers through challenging regulatory changes in cybersecurity. Why do we care? This isn't just about ConnectWise.

[00:04:23] It's a moment of reckoning for every MSP and software vendor. Remote management tools are now weapons of choice for attackers. The standard approach to trust, code signing, EDR allow lists, and vendor whitelisting is broken, and MSPs sit at the heart of the broken model. Attackers are exploiting a legitimate, vendor-assigned application to distribute malware, using tactics like Authenticode stuffing to bypass detection. It's a fundamental trust issue.

[00:04:47] When security stacks in EDR's whitelist signed software, threat actors exploit that implicit trust by hijacking it. Questions should be asked about systematic failure and how code signing is handled and verified. The $16 billion credential story is a distraction, but a useful one. It reminds us how the noise of recycled breach claims can convert attention from real threats. The real concern isn't the phantom mega-leak. It's the ongoing verified misuse of legitimate software in targeted campaigns.

[00:05:17] The hype cycle misleads customer conversations and can cause the dangerous belief that breaches are background noise rather than systemic, preventable risks. And the Salt Typhoon telecom breaches reinforce this, not only because of the attack's scale, but due to the internal directives reportingly telling incident responders not to look too hard. That kind of willful ignorance, especially in critical infrastructure, sets a dangerous precedent.

[00:05:43] It also illustrates what happens when industries are allowed to underinvest in security. The costs get socialized and the damage trickles down to every business that relies on these networks. One must ask, where is the vendor liability here? Not just reputationally, but in actual damages to customers. When chaos hits, will your system survive?

[00:06:07] Comet Backup's full image backups protect your entire system, files, apps, settings, and even the OS in one powerful automated backup. Comet is easy to deploy and bandwidth efficient. Full system backups for Windows, for Linux, for servers, for endpoints, all in one centralized platform. Whether you get hit with ransomware, hardware failure, or accidental deletion, Comet restores your system to physical, VM, or the cloud.

[00:06:31] Short on time? Restore individual files or folders to access critical data within moments. Try Comet Backup today. Reliable, secure, and made to scale. Visit cometbackup.com to protect what matters most. Get $100 free credit when you sign up with the promo code MSPRADIO. Comet Backup. Backup. Fast. Restore. Easy. Synchro has introduced a new feature called Universal Billing.

[00:06:59] Designed to reduce missed billing for third-party licenses in the managed service provider industry. Universal Billing integrates licensed data from third-party tools into recurring invoices, eliminating the need for manual reconciliation and minimizing billing errors. The feature pulls daily license counts from supported vendors, ensuring accurate invoicing as usage fluctuates. Currently, it supports Proofpoint and will expand to additional marketplace offerings by the end of the year,

[00:07:26] including Microsoft licensing through Synchro's new extended monitoring and management platform. The new feature aims to streamline operations for service providers and has already garnered positive feedback from users. Manage Engine has launched MSP Central, a unified platform intended to help manage service providers, improve their service delivery, device management, and infrastructure monitoring. The platform features a modular architecture that enables users to adopt only the components they require, eliminating unnecessary complexity.

[00:07:55] MSP Central offers capabilities such as remote monitoring and management, professional services automation, and advanced server monitoring, all designed to enhance operational efficiency. Manage Engine aims to integrate all standalone tools into this platform. Hornet Security has launched its new AI Cyber Assistant as part of the 365 Total Protection Plan 4, aimed at enhancing cybersecurity for Microsoft 365 users. The new solutions include tools such as Email Security Analyst,

[00:08:24] which automates the review of user-reported suspicious emails, and Teams Protection, designed to monitor Microsoft Teams messages from malicious content. The new Teams Protection feature uses AI and machine learning to scan Teams messages for harmful content, addressing a growing vulnerability in instant messaging platforms. Why do we care? Well, the updates show that vendors do recognize the evolving operational and security challenges MSPs face,

[00:08:51] but they're often a step behind where service providers need them to be. Synchro is addressing one of the least sexy, but most crucial parts of profitability, accurate billing. It's fundamental to the value MSPs provide, not just what you do for your clients, but whether you're consistently charging for it. Microsoft licensing is the real prize, and until that's live, the benefit does remain niche. Manage Engine is leaning into consolidation, but it must prove that modular doesn't mean fragmented.

[00:09:19] Providers need unified data visibility and seamless workflows, not another stitched-together platform. Hornet Security is right to look at Teams, but the AI arms race and security is filled with overhype. The proof will be an incident prevention, not feature announcements. For providers, the big takeaway is this. The vendors are modernizing, but unevenly. Choose those that prioritize practical integration, transparent licensing, and real-world impact. That's where the competitive edge lies.

[00:09:49] Bitdefender has announced its plans to acquire Mesh Security, aiming to enhance its email protection capabilities within the Gravity Zone platform. The acquisition is part of Bitdefender's strategy to unify security signals across various attack vectors, including email, endpoint, network identity, and cloud, thereby improving visibility and response times for enterprise and managed service provider partners.

[00:10:11] The addition of Mesh will allow Bitdefender to treat email as a primary telemetry source, enhancing threat detection and correlation across the entire attack surface. PIA, the AI help desk automation vendor, has appointed David Schwartz as its new CEO to lead the company through its next phase of growth. Schwartz, who previously served as general manager and chairman of PIA's Growth Advisory Committee, brings extensive experience in software as a service, managed services, and AI automation.

[00:10:38] This leadership change comes after the resignation of former CEO Gerwai Todd. The company aims to become the leading AI automation platform for managed service providers by focusing on automating complex, repetitive tasks and enhancing product integration. Nexus IT has secured a significant investment of $60 million to enhance its founder-led, values-driven approach to expanding its managed service provider and managed security service provider operations.

[00:11:04] The funding aims to accelerate growth and innovation within the company, reinforcing its commitment to delivering high-quality IT solutions. With the funding round, the company plans to further develop its service offerings and strengthen its position as a leader in the IT services sector. Why do we care? Well, this slate of news is a snapshot of a changing IT channel. Consolidation of signals, scaling of leadership, automation as a core value, and MSPs themselves becoming investable platforms.

[00:11:31] For providers, vendor selection should increasingly prioritize platforms that unify telemetry, not just tack on features. Automation is no longer a luxury, it's a competitive necessity. And tools like PIA will force a prove-it test from efficiency-focused MSPs. MSPs should study Nexus IT's path. There's a clear message. Organic, founder-led growth with strong values and operational maturity is still fundable.

[00:11:56] You don't need to be part of a PE roll-up to scale, but you do need to act like a business ready to scale. These signals shift a maturing market, but one where execution remains everything. Are you ready to get your brand in front of the tech leaders shaping the future of managed services? Here at The Business of Tech, we offer flexible sponsorship opportunities to meet your needs.

[00:12:22] Whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars. From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and vendors of all sizes looking to make an impact. Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs. Be a part of the conversation that matters to IT service providers worldwide.

[00:12:51] Join us at MSP Radio and amplify your message where it counts. Visit MSP Radio dot com slash engage today to explore all the ways we can help you grow. Thanks for listening. Today is National Pralines Day. It's a real specific one. I got two webinars for you. Join me for a webinar sponsored by ThreatDown as we talk about AI's dark side, what every MSP needs to know. That's at bit.ly slash ThreatDown.

[00:13:21] And also join me for a webinar sponsored by Nerdio, modern endpoint management with Intune, what works and what doesn't. That one's at bit.ly slash Nerdio webinar. Both links in the show notes. Look forward to the conversations. I'll talk to you tomorrow. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform.

[00:13:49] It's free and helps directly. Give us a review too. If you want to support the show, visit patreon.com slash MSP radio and you'll get access to content early. Or buy our why do we care merch at businessof.tech. Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question at MSP radio.com.

[00:14:14] I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments. If you're on YouTube, reach out on LinkedIn. If you're listening to the podcast. And if you want to advertise on the show, visit MSP radio.com slash engage. Once again, thanks for listening. And I will talk to you again on our next episode. Part of the MSP radio network.