Executive Summary
In 2026, Blackpoint Cyber's annual threat report highlighted a significant shift in cyberattack methodologies, with a notable increase in the exploitation of legitimate access methods over traditional vulnerability exploits. The report revealed that 32.8% of incidents involved SSL VPN abuse, where attackers utilized valid but compromised credentials to establish seemingly legitimate sessions, facilitating rapid lateral movement within networks. Additionally, 30.3% of incidents featured the misuse of Remote Monitoring and Management (RMM) tools, particularly ScreenConnect, which was present in over 70% of rogue RMM cases. This trend underscores the evolving tactics of threat actors who are leveraging trusted IT tools to gain and maintain unauthorized access, thereby evading conventional security measures. The current relevance of this incident lies in the growing prevalence of identity-driven attacks and the strategic use of legitimate tools for malicious purposes. Organizations must recognize that traditional security controls may be insufficient against such tactics, necessitating enhanced monitoring of credential usage and the implementation of stringent access controls. The rise in these sophisticated methods highlights the urgent need for adaptive security strategies to effectively counteract the evolving threat landscape.
Why This Matters Now
The increasing abuse of legitimate access methods and trusted IT tools by cybercriminals presents a significant challenge to traditional security measures. Organizations must urgently adapt their security strategies to monitor and control credential usage and access to prevent unauthorized intrusions.
Attack Path Analysis
Attackers gained initial access by exploiting compromised credentials to authenticate via SSL VPNs, allowing them to establish legitimate-looking sessions. They then escalated privileges by abusing temporary elevated cloud access mechanisms to assume higher-privileged roles. Utilizing these elevated privileges, attackers moved laterally within the cloud environment, accessing additional resources and services. They established command and control by deploying remote monitoring and management tools, such as ScreenConnect, to maintain persistent access. Sensitive data was exfiltrated by transferring it to external cloud storage services. Finally, the attackers impacted the organization by deploying ransomware, encrypting critical data, and disrupting business operations.
Kill Chain Progression
Initial Compromise
Description
Attackers gained initial access by exploiting compromised credentials to authenticate via SSL VPNs, allowing them to establish legitimate-looking sessions.
Related CVEs
CVE-2025-8875
CVSS 7.8An insecure deserialization vulnerability in N-able N-central allows authenticated attackers to execute arbitrary code.
Affected Products:
N-able N-central – < 2025.3.1
Exploit Status:
exploited in the wildCVE-2025-8876
CVSS 8.8A command injection vulnerability in N-able N-central allows authenticated attackers to execute arbitrary commands.
Affected Products:
N-able N-central – < 2025.3.1
Exploit Status:
exploited in the wildCVE-2024-57726
CVSS 9.9A missing authorization check in SimpleHelp RMM software allows remote code execution.
Affected Products:
SimpleHelp Remote Monitoring and Management – <= 5.5.7
Exploit Status:
exploited in the wildCVE-2024-57727
CVSS 7.5An input validation flaw in SimpleHelp RMM software allows privilege escalation.
Affected Products:
SimpleHelp Remote Monitoring and Management – <= 5.5.7
Exploit Status:
exploited in the wildCVE-2024-57728
CVSS 7.2A directory traversal vulnerability in SimpleHelp RMM software allows unauthorized file access.
Affected Products:
SimpleHelp Remote Monitoring and Management – <= 5.5.7
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
External Remote Services
Remote Access Software
Phishing
Application Layer Protocol
Remote Services
Credentials from Password Stores
Indicator Removal on Host
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Multi-Factor Authentication
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical exposure to credential abuse attacks targeting VPN access and privileged accounts, requiring enhanced zero trust segmentation and egress security controls.
Health Care / Life Sciences
High risk from routine access exploitation threatening patient data through lateral movement, demanding robust east-west traffic security and anomaly detection.
Information Technology/IT
Prime target for RMM tool abuse and social engineering attacks, necessitating comprehensive multicloud visibility and kubernetes security fabric implementation.
Government Administration
Significant vulnerability to nation-state actors exploiting valid credentials for data exfiltration, requiring encrypted traffic controls and threat detection capabilities.
Sources
- Routine Access Is Powering Modern Intrusions, a New Threat Report Findshttps://www.bleepingcomputer.com/news/security/routine-access-is-powering-modern-intrusions-a-new-threat-report-finds/Verified
- Vulnerabilities in MSP-friendly RMM solution exploited in the wild (CVE-2025-8875, CVE-2025-8876)https://www.helpnetsecurity.com/2025/08/14/vulnerabilities-in-msp-friendly-rmm-solution-exploited-in-the-wild-cve-2025-8875-cve-2025-8876/Verified
- SimpleHelp RMM Software Leveraged in Exploitation Attempt to Breach Networkshttps://www.aha.org/system/files/media/file/2025/01/h-isac-tlp-white-threat-simplehelp-rmm-software-leveraged-in-exploitation-attempt-to-breach-networks-1-29-2025.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to establish and maintain unauthorized sessions may have been constrained, reducing the likelihood of successful initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained, reducing the scope of potential damage.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the cloud environment may have been constrained, reducing the reachability of additional resources.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been constrained, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing unauthorized data transfers.
The attacker's ability to deploy ransomware and disrupt operations may have been constrained, reducing the overall impact.
Impact at a Glance
Affected Business Functions
- Remote Access Management
- IT Administration
- Network Security
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data and administrative credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the cloud environment.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, detecting unauthorized lateral movement.
- • Utilize Multicloud Visibility & Control solutions to gain comprehensive insights into cloud activities and detect anomalous behaviors.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
