Defending the Edge: How VPNs, Firewalls & Routers Are Now Prime Targets
Edge devices are increasingly prime targets for both ransomware groups and nation-state threat actors. VPNs, firewalls, and remote access appliances are frequently exploited as initial entry vectors, with attackers taking advantage of unpatched vulnerabilities and weak configurations. Once compromised, these devices can be used to bypass traditional security controls, paving the way for disruptive campaigns that threaten critical infrastructure and disrupt business operations.
Recent Examples
| Event | Attack Vector | Objective |
|---|---|---|
| Akira Ransomware’s Edge Exploitation (2024–25) | Exploited VPN flaws (Cisco ASA CVE-2020-3259, CVE-2023-20269; SonicWall CVE-2024-40766) and absent MFA. |
Deploy double‑extortion ransomware: encrypt data and exfiltrate sensitive information. |
| Credential‑Stuffing on Palo Alto & SonicWall (Jan 2025) | Botnet of 2.8 M+ compromised routers/IoT devices brute‑forced exposed admin panels. | Harvest credentials, establish covert footholds for further operations. |
| UNC5221 Targets Ivanti Connect Secure (Feb–Mar 2025) | Triggered CVE-2025-22457 buffer overflow in the unauthenticated API of Ivanti Connect Secure VPN appliances. |
Install TRAILBLAZE / BRUSHFIRE malware for persistent long‑term espionage access. |
What are the challenges for organisations?
-
- Insecure Defaults
- Many appliances ship with default configuration that favours convenience over security: open ports, weak or hard‑coded credentials, and a lack of easy integration with existing multi‑factor authentication solutions.
-
- Cumbersome Patching
- Firmware or OS upgrades frequently require manual steps and scheduled downtime. High availability SLAs mean support teams defer patches, leaving critical CVEs exposed for extended periods of time.
-
- Vendor Diversity & Fragmented Management
- Enterprises often run dozens of makes and models each with bespoke consoles, firmware cycles, and configuration syntaxes, making it nearly impossible to enforce a unified security baseline.
-
- Network Segmentation Gaps
- Once threat actors have compromised edge devices, flat network topologies facilitate attackers to easily move laterally to other internal systems.
-
- Proprietary / Embedded Operating Systems
- Custom Operating Systems or closed‑source firmware does not support traditional endpoint controls and agents, reducing detection opportunities.
-
- Limited Logging & Forensic Visibility
- Sparse or siloed logs, often in proprietary formats, hinder real‑time detection and slow down incident response.
Recommendations
Based on real-world incidents and recurring issues I’ve observed, below are some practical steps I’d recommend orgnaisations consider:
- 1. Network Segmentation
-
- Restrict management interfaces to trusted networks.
-
- Implement Zero Trust network segmentation strictly limiting lateral movement between systems.
- 2. Asset and Vulnerability Management
-
- Prioritise patching for internet-facing devices and apply vendor hardening guides.
-
- Maintain an up-to-date inventory of all edge devices, including firmware and patch status.
- 3. Credential Security
-
- Enforce strong, unique passwords and implement multi-factor authentication (MFA) for all remote access points.
-
- Monitor for brute-force and credential-stuffing attempts.
- 4. Enhanced Monitoring
-
- Centralise and securely store logs from edge devices for anomaly detection and forensic analysis.
-
- Deploy behavioural based detections to identify unusual remote access tool usage, abnormal data flows and command execution.
What to Look for in Your Edge Device Logs
Enhanced monitoring requires knowing what to look for and to effectively detect threats, it’s essential to understand common indicators of malicious activity. Here are key signs to watch for when monitoring edge devices:
- 1. Unusual Authentication Events
-
- Repeated failed login attempts or brute‐force patterns against VPNs, firewalls, or management consoles (ideally, logins to management interfaces should be restricted to known internal IP addresses).
-
- Logins at anomalous times or from unexpected source IPs.
- 2. Unusual Command‐Line Execution
-
- Shell commands or scripts executed on the device that don’t match normal maintenance routines.
-
- Invocation of uncommon binaries.
- 3. Remote Administration Tool Activity
-
- Installation or execution of tools like AnyDesk, ScreenConnect, or other remote access clients on edge appliances.
- 4. Suspicious Outbound Connections
-
- Edge devices normally exhibit predictable traffic flows, as such monitoring connections to rare or previously unseen destinations.
-
- Traffic to known malicious IPs or domains.
- 5. Abnormal Data Transfer Volumes
-
- Spikes in upload/download throughput to the edge device that deviates from baselines.
- 6. Unauthorised Account & Configuration Changes
-
- Creation of new admin users or elevation of privileges.
-
- Unplanned configuration updates, rule changes, or policy modifications.
Edge devices are high-risk, high-impact components of network perimeters. Due to their critical role and high availability requirements, organisations are often reluctant to implement necessary changes or patches, leaving these devices frequently undermanaged, undermonitored and vulnerable.
To reduce the risk of compromise, organisations need to:
- Prioritise timely patching and secure configuration baselines
- Enforce strong access control and ensure that management interfaces are locked down
- Centralise logging and implement detections
- Develop clear playbooks for incident response at the edge
These measures won’t eliminate the threat of compromise but they will make your environment significantly harder to breach and easier to defend.
References
The following resources have informed this post and provide further guidance for securing and monitoring edge devices. They are especially useful for practitioners looking to deepen their understanding of current threat activity and defensive strategies.