Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s why

Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses, prompting calls for firms to shore up defenses.

Statistics from Sophos’ Annual Threat Report show firewalls, routers, and VPNs accounted for initial compromise in nearly 30% of all incidents observed by the firm over the last year.

Virtual private networks (VPNs) were cited as the most frequently compromised, accounting for over 25% of all incidents and also 25% of ransomware attacks.

What’s more, these figures come from cases that could be confirmed by telemetry, Sophos said, so the actual number of cases could be much higher.

Sean Gallagher, principal threat researcher at Sophos, said the report highlights how attackers have aggressively targeted edge devices over the last several years.

“Compounding the issue is the increasing number of end-of-life (EOL) devices found in the wild – a problem Sophos calls digital detritus,” he commented.

“Because these devices are exposed to the internet and often low on the patching priority list, they are a highly effective method for infiltrating networks.”

Gallagher added the aggressive targeting of edge devices forms part of a larger shift in cyber criminal tactics. In its report, Sophos said this means attackers don’t have to deploy custom malware and can employ ‘living off the land’ techniques to maximize their impact on target organizations.

“They can exploit businesses’ own systems, increasing their agility and hiding in the places security leaders aren’t looking,” Gallagher said.

Other popular attack methods highlighted in the report were social engineering via Software as a Service platforms. These widely-adopted platforms have become heavily abused products commonly used for initial compromise.

Business email compromise is also a growing concern, according to the report, attributing to an alarming rate of initial compromises in security incidents.

In these instances, malware deployment, credential theft, and social engineering are being used extensively, the report warned.

Phishing of credentials via adversary-in-the-middle (AiTM) attacks and multi-factor authentication (MFA) token capture was cited as the main drivers of the increase.

AiTM attacks are a specific variant of the traditional 'man in the middle' attack method, whereby cyber criminals intercept communications between two parties to steal data.

This new type of attack differs greatly, however, enabling threat actors to actively interfere with and modify communications rather than simply intercepting them.

This particular method has been growing in popularity among threat groups in recent years, with state-backed threat actors in particular employing the technique.

In an advisory last year, Microsoft warned AiTM attacks have now become one of the 'go-to' methods for cyber criminals, with the tech giant's Digital Crimes Unit (DCU) observing a 146% increase across 2024.

MORE FROM ITPRO

• Six of the best malware removal services you can use today
• We ranked the best VPNs for businesses
• The best Wi-Fi and access points for your enterprise