Edge -Routers, Firewalls, VPNS – have become priority objectives for cybercriminals. What was previously a tactic of state actors to infiltrate covertly, today is also territory of criminal groups that seek economic benefits. In a context where connectivity is key to business operations, these devices (frequently underestimated) represent a critical entrance door and often unprotected.
Its appeal is that they usually have lower security controls compared to other areas of the system. In addition, it is complex to apply patches or updates without generating visible interruptions in services, which often delays maintenance. This situation makes them the ideal target for directed attacks.
One of the most worrisome tactics is the creation of Operational Relay Boxes (ORBs), EDGE devices compromised and reused as anonymity and communication infrastructure by the attackers. These smart catwalks act as bridges between operational technology networks (OT) and IT environments, performing a key role in industrial automation. However, they also represent critical control points: a committed orb can be used to move laterally through the network, exfract sensitive information or even sabotage processes.
The new weak point of networks
In the last year, a clear increase in the exploitation of vulnerabilities in this type of devices has been seen. Cases such as those of Ivanti Connect Secure and Pan -os GlobalProtect, which presented failures that allowed the remote execution of code and the evasion of multifactor authentication, have been used both by ransomware groups and by state actors. The dilemma for companies is clear: patching implies operational risk, but not doing so implies direct exposure.
In addition to the well -known exploits, groups such as Magnet Goblin, detected in 2024, specialize in exploiting newly published vulnerabilities on widely used EDGE devices, such as IVANTI VPN. This group uses tools like Nerbianrat, a multiplatform remote access Trojan, to infiltrate networks and display personalized malware. Its ability to act quickly after the publication of vulnerability evidences a change in strategy among cybercriminals, increasingly focused on critical infrastructure components.
EDGE devices have become priority objectives for cybercriminals: what was previously a tactic of state actors to infiltrate covertly, today is also territory of criminal groups that seek economic benefits
The “intelligent” orbs, with the capacity to apply policies, orchestrate workflows or preprocess data, are even more attractive. Their central role gives them total visibility of the traffic that circulates between the systems. If they fall into wrong hands, attackers can manipulate sensor readings, alter key processes or pivot towards the nucleus of the network, all without being detected.
This trend is not limited to organized crime. Groups sponsored by states continue to operate with a high level of sophistication. The Arcanedor campaign, aimed at Cisco ASA devices, allowed its attackers to infiltrate government and industrial networks for the purpose of
prolonged espionage. Similarly, Pacific Rim, attributed to Chinese actors, exploded failures in Firewalls Sofos to create undercover orb networks capable of maintaining command and control channels (C2) undetectable for long periods. Techniques such as the use of rootkits and false updates allowed them to keep access without lifting alerts.
On the other hand, more traditional threats such as ddos attacks remain active. In 2024, Cloudflare mitigated the largest denial attack in history, launched from thousands of compromised Edge devices (Routers Mikrotik, web servers, DVRS, etc.). Many of them were violated by not having applied basic patches. Botnets such as Raptor Train or Faceless use decentralized C2 infrastructure that move between compromised devices to avoid detection, allowing them to maintain access to critical networks for weeks or even months. Some Malweares, such as Themono, use advanced evasive techniques, executing only in memory and constantly changing IP.
In this new scenario, EDGE devices are no longer a secondary component. As attacks increase, the need to protect these entry points is urgent. Organizations must take immediate measures: reinforce authentication, apply network segmentation, perform vulnerabilities analysis continuously and manage patches without delay. Ignore safety on the margins can open the door to attacks that reach the heart of the business.
