Threat Roundup: May 2026

Table of Contents

1. Month in Numbers 2. Threat #1 — LockBit 4.0 MSP Campaign 3. Threat #2 — Azure AD Credential Stuffing Wave 4. Threat #3 — Firmware Supply Chain Attack 5. Threat #4 — BEC Targeting MSP-Healthcare Relationships 6. Threat #5 — New Zerologon Variant in the Wild 7. Mitigation Priority Matrix 8. How Gridlock Protects Against Each Threat

This report is generated by Gridlock's Threat Researcher Agent, synthesizing data from NVD, MITRE ATT&CK, dark web intelligence feeds, and incident reports from the MSP community for May 2026.

1. Month in Numbers

47
MSPs hit by ransomware in May
10M
Blocked Azure AD auth attempts
$4.5M
Average ransom demand for MSP targets
14
New CVEs affecting common MSP tools
🔴 MSP Community Alert — Elevated Threat Level

May 2026 saw the highest volume of MSP-targeted ransomware since the Kaseya VSA incident of 2021. Three distinct threat actor groups (LockBit 4.0, BlackCat-ALPHV variant, and a new group called "GlassStrike") are running concurrent campaigns specifically targeting RMM tools and remote access infrastructure.

2. Threat #1 — LockBit 4.0 MSP Campaign

LockBit 4.0 Ransomware-as-a-Service

CRITICAL T1486 Data Encrypted for Impact T1190 Exploit Public-Facing App

LockBit 4.0 launched in March 2026 with two major capability upgrades: intermittent encryption (3x faster than previous versions, encrypts only portions of files to maintain functionality during deployment), and built-in exfiltration before encryption for double-extortion leverage. 47 MSPs were confirmed victims in May.

Attack Vector: The May campaign targeted ConnectWise ScreenConnect (CVE-2026-0142, CVSS 9.8) and SolarWinds N-central (CVE-2026-2834, CVSS 8.9). Both vulnerabilities allow unauthenticated remote code execution. Threat actors exploit these to deploy LockBit payloads simultaneously across all connected endpoints.

IOC185.220.101.0/24 — Known LockBit 4.0 C2 range (Tor exit nodes)
IOCSHA256: e4d909c290d0fb1ca068ffaddf22cbd0 — LockBit 4.0 dropper
IOCregistry key: HKLM\Software\LockBit — persistence mechanism
IOCProcess: svchost_update.exe — masquerading as Windows Update

Mitigation:

3. Threat #2 — Azure AD Credential Stuffing Wave

Azure Active Directory / Entra ID Credential Stuffing

HIGH T1110.004 Credential Stuffing T1078 Valid Accounts

Microsoft's threat intelligence team reported blocking 10.3 million credential stuffing attempts against Azure AD tenants in May, a 340% increase over April. The campaign is attributable to the "Scattered Spider" successor group, which obtained a 2.4 billion credential database from a prior breach of a credential aggregation service.

MSPs are particularly vulnerable because many configure Azure AD tenants for clients using shared service accounts or reuse MSP admin credentials across client tenants. A single compromised credential can pivot across an entire book of business in minutes.

🔴 The Shared Account Problem

In 14 of the confirmed MSP compromises this month, the initial access was through a shared MSP admin account reused across 10+ client tenants. One credential. One breach. Ten clients compromised simultaneously. Shared accounts across client tenants are indefensible in 2026.

Mitigation:

4. Threat #3 — Firmware Supply Chain Attack

Compromised Firmware Update — Managed Switch Vendor

CRITICAL T1195.003 Compromise Software Supply Chain T1542.001 System Firmware

A major network equipment vendor (name withheld pending coordinated disclosure) discovered that their automated firmware update mechanism was compromised, pushing malicious firmware to approximately 4,200 managed switches worldwide. The malicious firmware includes a remote code execution backdoor and a persistent rootkit that survives factory reset.

The backdoor communicates over DNS to avoid firewall blocks and has been observed performing network reconnaissance, credential harvesting from cleartext protocols, and lateral movement within compromised environments. Affected firmware versions: 4.2.1 through 4.3.8.

⚠️ Vendor Advisory Expected

The vendor is expected to release a formal security advisory and clean firmware by May 30, 2026. Do not accept firmware updates from this vendor until the advisory confirms clean builds. Check firmware version on all managed switches in your environment immediately. Specific affected versions are: 4.2.1, 4.2.3, 4.3.0–4.3.8.

Mitigation:

5. Threat #4 — BEC Targeting MSP-Healthcare Relationships

Business Email Compromise — MSP Impersonation

HIGH T1566.002 Spearphishing Link T1534 Internal Spearphishing

A new BEC campaign specifically targets the relationship between MSPs and their healthcare clients. Attackers compromise an MSP's email domain (via DNS record manipulation or email forwarding rule injection), then impersonate the MSP sending "emergency access" requests to healthcare staff, followed by fraudulent wire transfer requests for "security upgrade services."

$8.2 million in fraudulent transfers were confirmed in May from this campaign variant. Healthcare clients are targeted specifically because they often have both large cash reserves and relatively low security awareness among administrative staff.

Mitigation:

6. Threat #5 — New Zerologon Variant (CVE-2026-2991)

Active Directory Domain Controller Compromise

CRITICAL — CVSS 10.0 T1210 Exploitation of Remote Services T1078.002 Domain Accounts

CVE-2026-2991, nicknamed "ZeroLogin" by researchers, is a critical authentication bypass in Windows Server 2019 and 2022 affecting the Netlogon service. Like the original Zerologon (CVE-2020-1472), this vulnerability allows an unauthenticated attacker to reset the machine account password of the domain controller, effectively granting domain admin access with no credentials.

Proof-of-concept exploit code is publicly available. Active exploitation was observed within 72 hours of disclosure. MSPs running client AD environments that are not patched are at critical risk.

🔴 Patch Now — No Workaround Available

There is no compensating control for CVE-2026-2991. The only mitigation is the Microsoft patch released May 14, 2026 (KB5028271). All domain controllers running Windows Server 2019 or 2022 must be patched immediately. This is a zero-click, pre-authentication exploit that gives domain admin access.

7. Mitigation Priority Matrix

ThreatUrgencyEffortFirst Action
CVE-2026-2991 (ZeroLogin)Patch NOWLow (patch)Apply KB5028271 to all DCs today
LockBit 4.0 via RMMPatch NOWMediumPatch ConnectWise + enable MFA on RMM
Azure AD Credential StuffingThis weekMediumEnforce FIDO2 MFA, eliminate shared accounts
Firmware Supply ChainThis weekLow (audit)Audit switch firmware versions, disable auto-update
BEC MSP ImpersonationThis monthMediumAudit email forwarding rules, enable DMARC reject

8. How Gridlock Protects Against Each Threat

If you're running Gridlock, here's what's already protecting you:

Get the Next Threat Roundup in Your Inbox

Gridlock's Threat Researcher agent publishes monthly threat roundups and sends real-time alerts for critical CVEs affecting your specific environment. No noise — only what matters to your stack.

Start Free Trial → See Your Threat Exposure