This report is generated by Gridlock's Threat Researcher Agent, synthesizing data from NVD, MITRE ATT&CK, dark web intelligence feeds, and incident reports from the MSP community for May 2026.
1. Month in Numbers
May 2026 saw the highest volume of MSP-targeted ransomware since the Kaseya VSA incident of 2021. Three distinct threat actor groups (LockBit 4.0, BlackCat-ALPHV variant, and a new group called "GlassStrike") are running concurrent campaigns specifically targeting RMM tools and remote access infrastructure.
2. Threat #1 — LockBit 4.0 MSP Campaign
LockBit 4.0 Ransomware-as-a-Service
LockBit 4.0 launched in March 2026 with two major capability upgrades: intermittent encryption (3x faster than previous versions, encrypts only portions of files to maintain functionality during deployment), and built-in exfiltration before encryption for double-extortion leverage. 47 MSPs were confirmed victims in May.
Attack Vector: The May campaign targeted ConnectWise ScreenConnect (CVE-2026-0142, CVSS 9.8) and SolarWinds N-central (CVE-2026-2834, CVSS 8.9). Both vulnerabilities allow unauthenticated remote code execution. Threat actors exploit these to deploy LockBit payloads simultaneously across all connected endpoints.
Mitigation:
- Patch ConnectWise ScreenConnect to version 24.2.2+ immediately (critical)
- Patch SolarWinds N-central to version 2024.2.1+ (critical)
- Enable MFA on all RMM admin portals — credential theft is the primary initial access vector
- Implement IP allowlisting on RMM management interfaces where possible
- Verify immutable backup integrity — LockBit 4.0 specifically targets and deletes shadow copies and backup catalogs
3. Threat #2 — Azure AD Credential Stuffing Wave
Azure Active Directory / Entra ID Credential Stuffing
Microsoft's threat intelligence team reported blocking 10.3 million credential stuffing attempts against Azure AD tenants in May, a 340% increase over April. The campaign is attributable to the "Scattered Spider" successor group, which obtained a 2.4 billion credential database from a prior breach of a credential aggregation service.
MSPs are particularly vulnerable because many configure Azure AD tenants for clients using shared service accounts or reuse MSP admin credentials across client tenants. A single compromised credential can pivot across an entire book of business in minutes.
In 14 of the confirmed MSP compromises this month, the initial access was through a shared MSP admin account reused across 10+ client tenants. One credential. One breach. Ten clients compromised simultaneously. Shared accounts across client tenants are indefensible in 2026.
Mitigation:
- Enforce phishing-resistant MFA (FIDO2 hardware keys or Windows Hello) on all Azure AD admin accounts — SMS-based MFA is bypassed by these campaigns
- Enable Conditional Access with named location policies — block authentication from unexpected countries
- Audit and rotate all shared credentials immediately; move to unique per-client credentials
- Enable Azure AD Identity Protection with risk-based Conditional Access policies
- Monitor for impossible travel alerts and simultaneous multi-country sign-ins
4. Threat #3 — Firmware Supply Chain Attack
Compromised Firmware Update — Managed Switch Vendor
A major network equipment vendor (name withheld pending coordinated disclosure) discovered that their automated firmware update mechanism was compromised, pushing malicious firmware to approximately 4,200 managed switches worldwide. The malicious firmware includes a remote code execution backdoor and a persistent rootkit that survives factory reset.
The backdoor communicates over DNS to avoid firewall blocks and has been observed performing network reconnaissance, credential harvesting from cleartext protocols, and lateral movement within compromised environments. Affected firmware versions: 4.2.1 through 4.3.8.
The vendor is expected to release a formal security advisory and clean firmware by May 30, 2026. Do not accept firmware updates from this vendor until the advisory confirms clean builds. Check firmware version on all managed switches in your environment immediately. Specific affected versions are: 4.2.1, 4.2.3, 4.3.0–4.3.8.
Mitigation:
- Immediately audit firmware versions on all managed switches in your environment
- Disable automatic firmware updates until vendor confirms clean build
- Verify firmware integrity via vendor-provided checksums before any installation
- Implement DNS-based egress filtering to detect C2 callback attempts
- If compromised firmware is suspected, physically replace the device — rootkit survives factory reset
5. Threat #4 — BEC Targeting MSP-Healthcare Relationships
Business Email Compromise — MSP Impersonation
A new BEC campaign specifically targets the relationship between MSPs and their healthcare clients. Attackers compromise an MSP's email domain (via DNS record manipulation or email forwarding rule injection), then impersonate the MSP sending "emergency access" requests to healthcare staff, followed by fraudulent wire transfer requests for "security upgrade services."
$8.2 million in fraudulent transfers were confirmed in May from this campaign variant. Healthcare clients are targeted specifically because they often have both large cash reserves and relatively low security awareness among administrative staff.
Mitigation:
- Audit email forwarding rules in all client email systems — attackers inject rules that silently copy emails to attacker-controlled addresses
- Verify DMARC/DKIM/SPF records are properly configured and enforce DMARC policy "reject" for your MSP domain
- Establish out-of-band verification procedures for any wire transfer or access request — a phone call to a known number, not a number in the email
- Train healthcare client staff to verify MSP requests via the service portal, never via email alone
6. Threat #5 — New Zerologon Variant (CVE-2026-2991)
Active Directory Domain Controller Compromise
CVE-2026-2991, nicknamed "ZeroLogin" by researchers, is a critical authentication bypass in Windows Server 2019 and 2022 affecting the Netlogon service. Like the original Zerologon (CVE-2020-1472), this vulnerability allows an unauthenticated attacker to reset the machine account password of the domain controller, effectively granting domain admin access with no credentials.
Proof-of-concept exploit code is publicly available. Active exploitation was observed within 72 hours of disclosure. MSPs running client AD environments that are not patched are at critical risk.
There is no compensating control for CVE-2026-2991. The only mitigation is the Microsoft patch released May 14, 2026 (KB5028271). All domain controllers running Windows Server 2019 or 2022 must be patched immediately. This is a zero-click, pre-authentication exploit that gives domain admin access.
7. Mitigation Priority Matrix
| Threat | Urgency | Effort | First Action |
|---|---|---|---|
| CVE-2026-2991 (ZeroLogin) | Patch NOW | Low (patch) | Apply KB5028271 to all DCs today |
| LockBit 4.0 via RMM | Patch NOW | Medium | Patch ConnectWise + enable MFA on RMM |
| Azure AD Credential Stuffing | This week | Medium | Enforce FIDO2 MFA, eliminate shared accounts |
| Firmware Supply Chain | This week | Low (audit) | Audit switch firmware versions, disable auto-update |
| BEC MSP Impersonation | This month | Medium | Audit email forwarding rules, enable DMARC reject |
8. How Gridlock Protects Against Each Threat
If you're running Gridlock, here's what's already protecting you:
- LockBit 4.0 / RaaS: Threat Researcher agent monitors your installed software against the CVE database daily. Both ConnectWise and SolarWinds CVEs were added to the watchlist within 2 hours of NVD publication. DNS blocking prevents LockBit C2 callbacks. Backup integrity monitoring detects shadow copy deletion attempts.
- Azure AD Credential Stuffing: Behavioral analysis detects impossible travel, bulk authentication failures, and new country sign-ins. Auto-generated alerts with specific remediation steps are created when anomalous patterns are detected.
- Firmware Supply Chain: Network anomaly detection flags unusual egress traffic patterns from network devices. DNS monitoring catches C2 callback attempts over DNS.
- BEC: Email forwarding rule audit is included in the monthly security review workflow. DMARC/DKIM/SPF verification is part of the onboarding checklist.
- CVE-2026-2991: Added to the vulnerability watchlist on May 14, 2026. All Gridlock customers with affected Windows Server versions received an automated alert with the KB number and patch instructions within 4 hours of NVD publication.
Get the Next Threat Roundup in Your Inbox
Gridlock's Threat Researcher agent publishes monthly threat roundups and sends real-time alerts for critical CVEs affecting your specific environment. No noise — only what matters to your stack.
Start Free Trial → See Your Threat Exposure