Antoinette Hodes, Evangelist & Global Solution Architect | Office of the CTO at Check Point Software highlights the growing risk of cyberattacks targeting edge devices such as routers, firewalls, and VPN appliances — infrastructure that is increasingly being exploited by both cybercriminals and state-sponsored actors. She also provides insights into how threat actors are evolving their tactics and why edge security should now be a top priority for organizations.
The strategy of exploiting edge devices, originally used by state-sponsored actors for covert infiltration, has now been adopted by financially motivated cyber criminals at a quickening scale. Routers, firewalls, and VPN appliances have become especially attractive to attackers based on their minimal security compared to other areas of concern. These devices are commonly repurposed for creating Operational Relay Boxes (ORBs), a type of infrastructure used by cyber criminals to anonymize and relay communications. The rise of Operational Relay Boxes (ORBs) adds a new layer of complexity and opportunity: these intelligent gateways act as both control points and communication bridges between operational technology (OT) and IT networks. While ORBs enhance edge intelligence and real-time decision-making, they also become critical choke points. A compromised ORB could act as a launchpad for lateral movement, data exfiltration, or even operational sabotage.
By compromising these devices, attackers can establish covert communication channels that evade detection, enabling them to infiltrate further into networks. And over the past year, both cyber criminals and state-sponsored actors have dramatically increased their focus on exploiting edge devices as an initial access vector. The issue has become so severe that Check Point Research pointed to the security risks that arise from edge devices as one of five significant cyber security trends to monitor for this year.
Why Edge Devices are Now Being Targeted
Edge devices have become a more attractive target for cyber attacks because they play a critical role in a network’s flow, making them difficult to patch without causing very noticeable operational disruptions. Vulnerabilities found in devices like Ivanti Connect Secure and Palo Alto Networks’ PAN-OS GlobalProtect in early 2024 allowed attackers to exploit remote code execution flaws and bypass multi-factor authentication. Both state-sponsored actors and ransomware groups took advantage of these vulnerabilities to compromise corporate networks and gain access to sensitive environments. And because patching these devices often leads to service downtime, potentially impeding business operations, organizations must balance the need to secure their systems with the risk of disrupting vital services.
The exploitation of these edge devices isn’t limited to just zero-day vulnerabilities. Magnet Goblin, which emerged in 2024, focuses on exploiting newly disclosed vulnerabilities in popular edge devices like Ivanti Connect Secure VPNs. They leverage tools like NerbianRAT—a cross-platform remote access Trojan (RAT)—to gain access to networks and deploy custom malware. Magnet Goblin’s swift exploitation of vulnerabilities in widely used devices highlights a concerning trend where cyber criminals are increasingly targeting critical infrastructure components to access sensitive data.
There’s also the risk of “smart” edge which features ORBs that not only aggregate and preprocess telemetry but also enforce policy, orchestrate workflows, and bridge the gap between OT and IT. Yet this very intelligence makes ORBs irresistible targets; a single compromised relay box could allow adversaries to silently manipulate sensor readings, disrupt critical processes, or pivot into core networks, all under the guise of routine edge communications. As we hurry to tap into IoT’s data and automation, we need to face one clear fact: our smart edge devices are only as safe as the relay points we set up—and the next wave of cyber threats is already hiding around the edges of our connected world.
The Continued Role of State-Sponsored Attacks
While financially motivated actors are rapidly exploiting edge devices, state-sponsored threat groups are also targeting these vulnerabilities – and doing so with a high level of sophistication. Cisco’s Adaptive Security Appliances (ASA) were targeted in a campaign known as ArcaneDoor. This operation, executed by nation-state actors, exploited weaknesses in ASA devices, allowing the attackers to infiltrate government and industrial networks. Once inside, they could exfiltrate sensitive data and establish long-term espionage capabilities, all while maintaining a covert presence.
Another notable campaign, codenamed Pacific Rim, points to China-based threat actors’ ongoing efforts to target perimeter devices, including Sophos firewalls and VPN gateways. The operation, which leveraged vulnerabilities in internet-facing services like CVE-2020-12271 and CVE-2022-1040, granted attackers access to critical network points. Once compromised, these devices were integrated into a covert ORB network, supporting command-and-control (C2) channels that could evade detection. The attackers employed advanced tactics such as rootkits and obfuscated hotfixes to maintain persistence and conceal their activities, enabling them to pivot from edge devices to other internal network assets.
Pacific Rim’s multi-year effort underlines the security risks posed by edge devices, especially in sectors where timely patching and comprehensive monitoring can be challenging. Underestimating the risks associated with unsecured perimeter devices can come with steep consequences.
The Threat of Botnets and DDoS Attacks
While sophisticated backdoors and custom implants dominate discussions around edge device exploitation, more traditional threats remain prevalent. In September 2024, CloudFlare mitigated what was described as the largest DDoS attack in history. The attack, originating from compromised edge devices like MikroTik routers, DVRs, and web servers, involved an extraordinarily high packet rate. Many of these compromised devices were likely exploited using critical vulnerabilities, with ASUS home routers accounting for a large portion of the attack. This campaign, which has not been attributed to any specific state-sponsored actor or cybercriminal group, demonstrates the scale and impact that compromised edge devices can have.
In 2024, botnets created from unsecured and vulnerable edge devices became indispensable tools for advanced threat actors. These botnets, like Raptor Train and Faceless, use decentralized C2 infrastructures that dynamically rotate between compromised devices. This ability to switch nodes and evade detection allows attackers to remain undetected for extended periods while maintaining persistent access to critical systems. Some malware, such as TheMoon, employs advanced evasion tactics like in-memory-only execution and frequent IP switching, making it even more difficult for defenders to track and mitigate.
Protect Your Edge (Devices)
Edge devices are no longer a minor part of the network. As attacks become more frequent and disruptive, we’re seeing edge device vulnerabilities as a key focal point for attackers seeking entry into corporate environments. As threat actors evolve their tactics and tools, the need for robust security practices around edge devices has become more critical than ever. Businesses must act quickly to secure their networks by closing the gaps in edge device security, ensuring these devices are properly secured through strong authentication methods, routine vulnerability scanning, and timely patch management.
To learn more about cloud security risks and other major cyber security trends for 2025, download the full 2025 State of Cyber Security Report.