The Rising Threat of Exploited Edge Devices in Cyber Security
As India rapidly digitizes across sectors, edge devices such as routers, firewalls, and VPNs are emerging
as prime targets for sophisticated cyberattacks in 2025.
Both financially motivated criminals and state-sponsored actors from neighboring countries are
increasingly exploiting vulnerabilities in these devices to gain covert access to critical government,
defense, and industrial networks. Attacks like multi-stage malware campaigns, botnets, and large-scale
DDoS assaults are compromising India’s IT and OT infrastructure, raising significant concerns for sectors
including education, healthcare, and finance.
These devices are commonly repurposed for creating Operational Relay Boxes (ORBs), a type of
infrastructure used by cyber criminals to anonymize and relay communications. The rise of Operational
Relay Boxes (ORBs) adds a new layer of complexity and opportunity: these intelligent gateways act as
both control points and communication bridges between operational technology (OT) and IT networks.
While ORBs enhance edge intelligence and real-time decision-making, they also become critical choke
points. A compromised ORB could act as a launchpad for lateral movement, data exfiltration, or even
operational sabotage.
By compromising these devices, attackers can establish covert communication channels that evade
detection, enabling them to infiltrate further into networks. And over the past year, both cyber criminals
and state-sponsored actors have dramatically increased their focus on exploiting edge devices as an
initial access vector. The issue has become so severe that Check Point Research pointed to the security
risks that arise from edge devices as one of five significant cyber security trends to monitor for this year.
Why Edge Devices are Now Being Targeted
Edge devices have become a more attractive target for cyber attacks because they play a critical role in a
network’s flow, making them difficult to patch without causing very noticeable operational disruptions.
Vulnerabilities found in devices like Ivanti Connect Secure and Both state-sponsored actors and
ransomware groups took advantage of these vulnerabilities to compromise corporate networks and gain
access to sensitive environments. And because patching these devices often leads to service downtime,
potentially impeding business operations, organizations must balance the need to secure their systems
with the risk of disrupting vital services.
The exploitation of these edge devices isn’t limited to just zero-day vulnerabilities. Magnet Goblin, which
emerged in 2024, focuses on exploiting newly disclosed vulnerabilities in popular edge devices like Ivanti
Connect Secure VPNs. They leverage tools like NerbianRAT—a cross-platform remote access Trojan
(RAT)—to gain access to networks and deploy custom malware. Magnet Goblin’s swift exploitation of
vulnerabilities in widely used devices highlights a concerning trend where cyber criminals are
increasingly targeting critical infrastructure components to access sensitive data.
There’s also the risk of “smart” edge which features ORBs that not only aggregate and preprocess
telemetry but also enforce policy, orchestrate workflows, and bridge the gap between OT and IT. Yet
this very intelligence makes ORBs irresistible targets; a single compromised relay box could allow
adversaries to silently manipulate sensor readings, disrupt critical processes, or pivot into core
© 2024 Check Point Software Technologies Ltd. All Rights Reserved Page 2 of 2
networks, all under the guise of routine edge communications. As we hurry to tap into IoT’s data and
automation, we need to face one clear fact: our smart edge devices are only as safe as the relay points
we set up—and the next wave of cyber threats is already hiding around the edges of our connected
world.
The Continued Role of State-Sponsored Attacks
While financially motivated actors are rapidly exploiting edge devices, state-sponsored threat groups are
also targeting these vulnerabilities – and doing so with a high level of sophistication. Cisco’s Adaptive
Security Appliances (ASA) were targeted in a campaign known as ArcaneDoor. This operation, executed
by nation-state actors, exploited weaknesses in ASA devices, allowing the attackers to infiltrate
government and industrial networks. Once inside, they could exfiltrate sensitive data and establish long-
term espionage capabilities, all while maintaining a covert presence.
In 2025, India faces escalating cyber threats from state-sponsored hackers targeting its critical sectors
amid ongoing geopolitical tensions. China-backed groups continue cyber espionage linked to border
disputes, while Pakistan-based actors ramp up sophisticated attacks on government, defense, and
aerospace domains. These attacks, involving distributed denial-of-service (DDoS), web defacements, and
data breaches, are expected to intensify across industries such as education, healthcare, and finance. In
response, India is significantly boosting cybersecurity investments, with its market projected to more
than double by 2030, reflecting growing efforts to safeguard national and economic security.
The Threat of Botnets and DDoS Attacks
A research report has highlighted that India faced an alarming 3000% rise in API-targeted Distributed
Denial of Service (DDoS) attacks in just three months. The report documents over 1.2 billion attacks that
include 271 million API attacks last quarter. Unlike traditional attacks that flood websites with traffic,
these sophisticated breaches exploit the very mechanisms that make APIs efficient. While sophisticated
backdoors and custom implants dominate discussions around edge device exploitation, more traditional
threats remain prevalent. In September 2024, CloudFlare mitigated what was described as the largest
DDoS attack in history. The attack, originating from compromised edge devices like MikroTik routers,
DVRs, and web servers, involved an extraordinarily high packet rate. Many of these compromised
devices were likely exploited using critical vulnerabilities, with ASUS home routers accounting for a large
portion of the attack. This campaign, which has not been attributed to any specific state-sponsored
actor or cybercriminal group, demonstrates the scale and impact that compromised edge devices can
have.
In 2024, botnets created from unsecured and vulnerable edge devices became indispensable tools for
advanced threat actors. These botnets, like Raptor Train and Faceless, use decentralized C2
infrastructures that dynamically rotate between compromised devices. This ability to switch nodes and
evade detection allows attackers to remain undetected for extended periods while maintaining
persistent access to critical systems. Some malware, such as TheMoon, employs advanced evasion
tactics like in-memory-only execution and frequent IP switching, making it even more difficult for
defenders to track and mitigate.
Protect Your Edge (Devices)
© 2024 Check Point Software Technologies Ltd. All Rights Reserved Page 3 of 2
Edge devices are no longer a minor part of the network. As attacks become more frequent and
disruptive, we’re seeing edge device vulnerabilities as a key focal point for attackers seeking entry into
corporate environments. As threat actors evolve their tactics and tools, the need for robust security
practices around edge devices has become more critical than ever. Businesses must act quickly to secure
their networks by closing the gaps in edge device security, ensuring these devices are properly secured
through strong authentication methods, routine vulnerability scanning, and timely patch management.
