The Rising Threat of Exploited Edge Devices in Cyber Security
As India rapidly digitizes across sectors, edge devices such as routers, firewalls, and VPNs are emerging as prime targets for sophisticated cyberattacks in 2025.
Both financially motivated criminals and state-sponsored actors from neighboring countries are increasingly exploiting vulnerabilities in these devices to gain covert access to critical government, defense, and industrial networks. Attacks like multi-stage malware campaigns, botnets, and large-scale DDoS assaults are compromising India’s IT and OT infrastructure, raising significant concerns for sectors including education, healthcare, and finance.
These devices are commonly repurposed for creating Operational Relay Boxes (ORBs), a type of infrastructure used by cyber criminals to anonymize and relay communications. The rise of Operational Relay Boxes (ORBs) adds a new layer of complexity and opportunity: these intelligent gateways act as both control points and communication bridges between operational technology (OT) and IT networks. While ORBs enhance edge intelligence and real-time decision-making, they also become critical choke points. A compromised ORB could act as a launchpad for lateral movement, data exfiltration, or even operational sabotage.
By compromising these devices, attackers can establish covert communication channels that evade detection, enabling them to infiltrate further into networks. And over the past year, both cyber criminals and state-sponsored actors have dramatically increased their focus on exploiting edge devices as an initial access vector. The issue has become so severe that Check Point Research pointed to the security risks that arise from edge devices as one of five significant cyber security trends to monitor for this year.
Why Edge Devices are Now Being Targeted
Edge devices have become a more attractive target for cyber attacks because they play a critical role in a network’s flow, making them difficult to patch without causing very noticeable operational disruptions. Vulnerabilities found in devices like Ivanti Connect Secure and Both state-sponsored actors and ransomware groups took advantage of these vulnerabilities to compromise corporate networks and gain access to sensitive environments. And because patching these devices often leads to service downtime, potentially impeding business operations, organizations must balance the need to secure their systems with the risk of disrupting vital services.
The exploitation of these edge devices isn’t limited to just zero-day vulnerabilities. Magnet Goblin, which emerged in 2024, focuses on exploiting newly disclosed vulnerabilities in popular edge devices like Ivanti Connect Secure VPNs. They leverage tools like NerbianRAT—a cross-platform remote access Trojan (RAT)—to gain access to networks and deploy custom malware. Magnet Goblin’s swift exploitation of vulnerabilities in widely used devices highlights a concerning trend where cyber criminals are increasingly targeting critical infrastructure components to access sensitive data.
There’s also the risk of “smart” edge which features ORBs that not only aggregate and preprocess telemetry but also enforce policy, orchestrate workflows, and bridge the gap between OT and IT. Yet this very intelligence makes ORBs irresistible targets; a single compromised relay box could allow adversaries to silently manipulate sensor readings, disrupt critical processes, or pivot into core networks, all under the guise of routine edge communications. As we hurry to tap into IoT’s data and automation, we need to face one clear fact: our smart edge devices are only as safe as the relay points we set up—and the next wave of cyber threats is already hiding around the edges of our connected world.
The Continued Role of State-Sponsored Attacks
While financially motivated actors are rapidly exploiting edge devices, state-sponsored threat groups are also targeting these vulnerabilities – and doing so with a high level of sophistication. Cisco’s Adaptive Security Appliances (ASA) were targeted in a campaign known as ArcaneDoor. This operation, executed by nation-state actors, exploited weaknesses in ASA devices, allowing the attackers to infiltrate government and industrial networks. Once inside, they could exfiltrate sensitive data and establish long-term espionage capabilities, all while maintaining a covert presence.
In 2025, India faces escalating cyber threats from state-sponsored hackers targeting its critical sectors amid ongoing geopolitical tensions. China-backed groups continue cyber espionage linked to border disputes, while Pakistan-based actors ramp up sophisticated attacks on government, defense, and aerospace domains. These attacks, involving distributed denial-of-service (DDoS), web defacements, and data breaches, are expected to intensify across industries such as education, healthcare, and finance. In response, India is significantly boosting cybersecurity investments, with its market projected to more than double by 2030, reflecting growing efforts to safeguard national and economic security.
The Threat of Botnets and DDoS Attacks
A research report has highlighted that India faced an alarming 3000% rise in API-targeted Distributed Denial of Service (DDoS) attacks in just three months. The report documents over 1.2 billion attacks that include 271 million API attacks last quarter. Unlike traditional attacks that flood websites with traffic, these sophisticated breaches exploit the very mechanisms that make APIs efficient. While sophisticated backdoors and custom implants dominate discussions around edge device exploitation, more traditional threats remain prevalent. In September 2024, CloudFlare mitigated what was described as the largest DDoS attack in history. The attack, originating from compromised edge devices like MikroTik routers, DVRs, and web servers, involved an extraordinarily high packet rate. Many of these compromised devices were likely exploited using critical vulnerabilities, with ASUS home routers accounting for a large portion of the attack. This campaign, which has not been attributed to any specific state-sponsored actor or cybercriminal group, demonstrates the scale and impact that compromised edge devices can have.
In 2024, botnets created from unsecured and vulnerable edge devices became indispensable tools for advanced threat actors. These botnets, like Raptor Train and Faceless, use decentralized C2 infrastructures that dynamically rotate between compromised devices. This ability to switch nodes and evade detection allows attackers to remain undetected for extended periods while maintaining persistent access to critical systems. Some malware, such as TheMoon, employs advanced evasion tactics like in-memory-only execution and frequent IP switching, making it even more difficult for defenders to track and mitigate.
Protect Your Edge (Devices)
Edge devices are no longer a minor part of the network. As attacks become more frequent and disruptive, we’re seeing edge device vulnerabilities as a key focal point for attackers seeking entry into corporate environments. As threat actors evolve their tactics and tools, the need for robust security practices around edge devices has become more critical than ever. Businesses must act quickly to secure their networks by closing the gaps in edge device security, ensuring these devices are properly secured through strong authentication methods, routine vulnerability scanning, and timely patch management.