The New Frontline: Why MSPs and IT Teams Became Prime Targets in 2025

Based on insights from the Acronis Cyberthreats Report, H1 2025, reviewed by BackupVault.
 

Introduction: The 2:13 AM Wake-Up Call

 
It always seems to happen in the early hours.

At 2:13 AM, the alerts began. Backup jobs suddenly stopped running. A surge of remote commands appeared across three business units. The source? Not an unknown IP address. Not a brute-force attempt.

It was a valid RMM (Remote Monitoring and Management) login, authenticated with a legitimate admin token.

Except the admin was asleep.

This scenario has unfolded across hundreds of organisations this year. The unfortunate truth? Attackers no longer break in; they log in. The tools that keep IT running have become the same tools criminals weaponise.
 

Chapter 1: Why MSPs and IT Departments Became High-Value Targets

1. You hold the keys to the kingdom

Cybercriminals no longer aim to compromise a single device, they want access to:

• Administrative rights are the highest-level permissions, essentially serving as “master keys” for systems.
• RMM control is software used to remotely manage and fix computers.
• Patch management access, systems responsible for installing updates and security fixes.
• Privileged pathways across the supply chain, trusted connections between businesses that can be abused.

MSPs and IT teams manage all of these, making them a gateway into multiple organisations.

2. One breach gives attackers widespread reach

A single MSP breach can provide visibility across:

• Dozens of client networks
• Hundreds of servers
• Thousands of endpoints

Attackers are now targeting trust networks, not just companies.

3.Operational tools have become the weakest link

Acronis identified 51 RMM (Remote Monitoring and Management) tools abused by criminals in 2025, including:

• TeamViewer
• ConnectWise ScreenConnect
• Splashtop
• Atera
• SimpleHelp

These are powerful remote access tools used legitimately by IT teams, but the same power makes them ideal for attackers to move silently within a network.
 

Chapter 2: Real MSP Breaches Shaping the 2025 Threat Landscape

Case 1: Telefónica – When an Infostealer Opens the Door

The breach began with an infostealer infection, malware designed to steal passwords, tokens, and saved logins.

Redline and Lumma captured credentials for:

• Jira
• Office 365
• Salesforce
• Fortinet

Attackers then impersonated staff, escalated privileges, and extracted 2.3 GB of data.

Lesson:

If passwords are stolen, systems are already compromised.

Case 2: Virtual IT – The MSP as the Ransomware Catalyst

In February, the Qilin ransomware group breached Virtual IT in the US.

Probable chain of events:

• Phishing
• Credential thef
• RMM abuse
• Mass encryption

Client organisations suffered directly because their MSP was compromised.

Lesson:

Your MSP’s security now directly affects your own risk level.

Case 3: Asseco Poland – The Long-Fuse Attack

Months-old credentials stolen via the StealC infostealer allowed attackers to return silently.

Once inside, they escalated privileges, exfiltrated data, and deployed ransomware.

Lesson:

Infostealers plant long-term threats that can be activated at any time.

Chapter 3: The Attack Vectors Defining 2025

Phishing (52% of initial intrusions)

AI has made phishing more believable than ever, producing messages that are:

• Precisely written
• Brand accurate
• Emotionally tailored
• Multilingual
• Regionally aware

Phishing emails are now starting to look authentic because they are built using realistic AI-generated context.

Unpatched vulnerabilities (27%)

Frequently exploited CVEs include:

• Cleo MFT vulnerabilities
• Cisco IOS XE issues
• SimpleHelp RMM flaws

A CVE is a known security flaw requiring a patch. When systems remain unpatched, attackers can exploit them easily.

Valid account misuse (13%)

Attackers bypass MFA using techniques such as

• Session token replay, reusing a stolen active login session
• Stolen refresh tokens, exploiting background tokens that keep users logged in
• OAuth manipulation, tricking apps into granting excessive permissions
• Infostealer logs, buying stolen login data online

Identity has effectively become the new security perimeter, and it is under attack.
 

Chapter 4: What IT Managers Must Prioritise Now

1. Patch and protect high-privilege entry points first

Focus on securing:

• RMM tools
• VPN appliances
• Hypervisors
• Identity systems

Not individual low-risk devices.

2. Upgrade beyond MFA

MFA is no longer enough.

Adopt:

• FIDO2
• Hardware security keys
• PKI-based authentication

Attackers routinely bypass MFA through session hijacking.

3. Treat RMM tools as Tier Zero infrastructure

Implement:

• Network segmentation
• Strict script execution rules
• Behaviour-led monitoring
• Full audit logging

If attackers compromise the RMM, they effectively control everything.

4. Assume credentials have been compromised

Resilience requires:

• Regular password and credential rotation
• Token revocation
• OAuth permission reviews
• Conditional access rules

Identity trust must be continuously rebuilt.
 

Conclusion: The New Reality for IT Leaders

 
By 3:02 AM, the team in the opening scenario understood what had happened. Not malware. Not brute force. Not an exploit. A trusted tool, a trusted login, and an untrusted attacker.

This is the new frontline for IT leaders in 2025. The threat landscape is not just expanding; it is becoming harder to see.
 

 
BackupVault has reviewed the Acronis 2025 Cyberthreat Report, and the message is clear: organisations must harden their IT environments now, before becoming part of the 2025 victim list.

If you want to:

• Strengthen backup and recovery.
• Reduce credential-based attack risks
• Prevent RMM abuse.
• Improve resilience against modern cyberthreats.

Contact BackupVault today. Our experts will help you protect your IT environment before attackers find a way in.