MSPs on Alert: DragonForce Ransomware, ScreenConnect Abuse, and Microsoft’s Update Integration

[00:00:02] It's Thursday, May 29th, 2025, and I'm Dave Sobel for Things to Know Today. DragonForce targets SimpleHelp in a sophisticated Ransomware-as-a-Service attack against managed service providers. ScreenConnect tops the list of most abused remote tools raising vendor trust concerns. Microsoft expands Windows Update to cover third-party apps disrupting patch management. And two implementation frameworks offer clear paths for AI governance and developer productivity.

[00:00:32] This is the Business of Tech. When a listener even asks if I'm covering this story, I know it's in the conversation, so this one had to go first. DragonForce actors have targeted vulnerabilities in the SimpleHelp Remote Monitoring and Management tool to launch attacks against managed service providers and their customers. In a recent incident, a threat actor exploited these vulnerabilities to deploy DragonForce ransomware,

[00:00:57] which included exfiltrating sensitive data and using double extortion tactics. The Sophos Managed Detection and Response Team reported that the attackers took advantage of several vulnerabilities, including multiple path traversal and privilege escalation issues, which were disclosed and addressed in January of 2025. Sophos has indicated that they were able to thwart the ransomware attempt for one client that utilized their endpoint protection, while other clients of the managed service provider were impacted.

[00:01:27] Sophos has since engaged in digital forensics and incident response to address the situation. The rise of DragonForce follows their involvement in high-profile retail breaches in the United Kingdom, including attacks on Marks & Spencer and Co-op, where significant customer data was compromised. As DragonForce expands its ransomware-as-a-service model, it's quickly establishing itself as a major player in the cybercrime landscape. Why do we care?

[00:01:54] This is a textbook case of why the fundamentals still matter – patching, segmentation, detection – and why low-key RMM vendors continue to be high-risk entry points into the MSP ecosystem. The fact that this attack was executed using known vulnerabilities disclosed in January reinforces a grim truth. Disclosed and patched threats become weaponizable when IT hygiene slips.

[00:02:20] However, the real story may not be simple help itself or even the specific attack vector. The real why-do-we-care lies in DragonForce's evolution as a threat actor – from disruptive ransomware player to full-blown ransomware-as-a-service operator executing highly-coordinated, targeted extortion campaigns against both providers and end customers.

[00:02:42] DragonForce is showing strong operational growth, high-profile retail breaches – Marks & Spencer & Co-op – RAS sophistication – and now targeted attacks against tools used widely by SMB-focused SMBs. This episode is supported by Synchro. Synchro, the integrated remote monitoring and management and professional services automation platform, is designed for mid-sized and growing managed service providers.

[00:03:10] Its latest innovations include an AI-powered smart ticket management system with automatic ticket classifications, guided resolution steps using pre-approved scripts, and a natural language smart search function. These tools streamline ticket handling and improve response times. Discover more at Synchromsp.com

[00:03:32] In 2025, ConnectWise's ScreenConnect has emerged as the most abused legitimate remote access tool in cyberattacks, accounting for 56% of active threat reports involving such tools. A report from CoFence Intelligence reveals a troubling trend where cybercriminals are hijacking these legitimate tools, typically used by IT professionals, to infiltrate computer systems and deliver harmful programs.

[00:03:57] The report notes that the popularity of ConnectWise's ScreenConnect is surging, with attack volumes in 2025 already matching those from the previous year. Various tactics are being employed by attackers, including spoofing emails from the U.S. Social Security Administration and using fake notifications about shared files to trick victims into installing the tool. Other legitimate remote access tools, such as Atera and FleetDeck, are also being exploited in targeted campaigns.

[00:04:24] ConnectWise has confirmed a cyberattack on ScreenConnect, stating that all systems are now secure. The attack raised concerns among IT service providers, as ScreenConnect is widely used. The company took immediate action to mitigate the risks and secure its infrastructure. While specific details regarding the nature of the attack remain limited, ConnectWise emphasized its commitment to safeguarding customer data and restoring trust. Why do we care? Because this is now a pattern, not a one-off.

[00:04:51] ScreenConnect is now the most abused legitimate remote access tool in cyberattacks. For providers, this shifts ScreenConnect from a convenience to a liability, raising hard questions about vendor trust, default configurations, and acceptable risk in remote tooling. It isn't just a product issue, it's an ecosystem issue. It's tempting to frame this purely as a failure of cyber hygiene, but that misses deeper systemic issues. Tool misuse is not the same as vulnerability.

[00:05:19] Even in the absence of technical exploits, attackers are simply installing and using the tools the way they're intended to be used, after fooling users or exploiting loose policies. Vendors benefit from ubiquity, but don't shoulder equivalent security risk. When tools like ScreenConnect are misused, MSPs take the reputational hit, even if the software behaved as design. If remote access is your superpower, it's also your attack surface.

[00:05:46] Either secure it with layered, monitorable, and enforceable controls, or expect to see your own name in the next threat report. But if you asked me, this story would have been the headline. Microsoft is introducing a Windows Update Orchestration Platform, allowing app developers to integrate their update processes into the Windows 11 framework.

[00:06:09] This initiative aims to create a unified system for scheduling and managing updates across devices, addressing user concerns about fragmented update experiences. Currently in private preview, the platform enables developers to register custom update logic through Windows Runtime APIs and PowerShell, facilitating intelligent scheduling based on user activity and system performance. Microsoft emphasizes that all update actions will be logged for streamlined troubleshooting.

[00:06:35] In addition, the company has launched Windows Backup for organizations designed to assist in backing up and restoring Windows devices, which could simplify the transition from Windows 10 to Windows 11 as the former approaches its end-of-life date in October 2025. Organizations must meet specific requirements to participate in the backup program, ensuring that the migration process is as smooth as possible. The end result? Microsoft is expanding Windows Update to handle updates for third-party applications.

[00:07:02] Angie Chen, a product manager at Microsoft, stated that the goal is to support any update to be orchestrated with Windows updates. Why do we care? This is the biggest change to patch management infrastructure in over a decade. Microsoft is quietly asserting control over the entire software update lifecycle across Windows 11 environments, not just for OS patches, but for third-party applications as well.

[00:07:26] If you're in IT services, this directly impacts your stack, your workflows, and possibly your entire patching solution architecture. The new Windows Update Orchestration Platform puts Microsoft in the position of being the central scheduler, validator, and logger for all software updates on Windows devices. This could fundamentally shift how managed service providers, RMM vendors, and security teams approach patching.

[00:07:50] Until now, patching third-party apps was fragmented, some via vendor updates, other through RMM scripting, or solutions like Chocolaty, Nanite, or PatchMyPC. With this platform, Microsoft is offering a unified update orchestration API, allowing developers to plug in custom update logic that respects system load, user activity, and admin scheduling. Patch management has long been one of the core value propositions for RMM tools.

[00:08:15] If Windows Update can handle third-party apps natively, the need for separate patching platforms shrinks, especially in Microsoft-only environments. This threatens commoditized patching features and raises the bar for RMMs to justify their place beyond, we update stuff. Microsoft is modernizing update management at its foundation, and bringing third-party apps under that umbrella. This could marginalize those standalone patch management offerings, reduce scripting chaos, and enhance security and reliability.

[00:08:44] But it also centralizes control in Microsoft's hands, which require a new level of vigilance for providers to maintain flexibility, transparency, and client value. And two I wanted to include to provide some practical guidance. In a recent article on Channel EDE, Pedro Ferreira emphasizes the critical need for governance in artificial intelligence implementations within organizations.

[00:09:08] As companies increasingly adopt AI technologies, including generative tools and large language models, they face heightened risks related to data security and compliance. The article outlines a nine-step framework for effective AI governance, highlighting the importance of discovering and classifying data, enforcing governance policies, and ensuring regulatory compliance across multiple evolving standards.

[00:09:29] Research shows that without robust governance, organizations risk exposing sensitive data and violating regulations such as the Health Insurance Portability and Accountability Act and the General Data Protection Regulation. The framework encourages continuous improvement and collaboration across various departments to safeguard data integrity and accountability in AI applications.

[00:09:51] And in a recent article from the Newstack, Jiao Yu Dell discusses the emergence of the Model Context Protocol, or MCP, as a transformative tool for enhancing the interaction between users and documentation and software development. The MCP has been likened to really simple syndication, or RSS, due to its straightforward implementation and potential for rapid adoption.

[00:10:12] The article highlights how the MCP server facilitates improved access to documentation by allowing users to engage directly with content through a structured query system. This interaction not only aids in the immediate retrieval of information, but also helps identify gaps in documentation that can be addressed, thus enhancing overall productivity. With the increasing reliance on large language models for interpreting documentation, the MCP represents a significant step forward in making software resources more accessible and user-friendly.

[00:10:43] Why do we care? Because both stories offer practical, implementation-level guidance that IT service providers can act on today, especially those helping clients adopt AI or improve developer workflows. In the midst of a flood of aspirational AI talk, these two pieces stood out by focusing on execution frameworks and standards-based solutions that could drive real, repeatable value. Thanks for listening.

[00:11:07] Today is National Biscuit Day, National Kockevun Day, and National Alligator Day. See you later, alligator. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too.

[00:11:33] If you want to support the show, visit patreon.com slash msbradio and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question at mspradio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn.

[00:11:59] If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit mspradio.com slash engage. Once again, thanks for listening and I will talk to you again on our next episode. Part of the MSP Radio Network.