Sophos researchers noted in their recent Annual Threat Report that ransomware attacks remain the primary existential cyber threat to small and midsized organizations, with ransomware cases accounting for 70 percent of incident response engagements for small business customers in 2024. Security experts recommend prioritizing patching of edge devices, implementing multifactor authentication for all remote access, replacing end-of-life equipment, and considering external help to audit and monitor external attack surfaces regularly to prevent exploitation by opportunistic attackers scanning for vulnerable targets. “Whether simply misconfigured, using weak credential policies, or running on vulnerable software or firmware, systems on the network edge are the initial point of compromise for over a third of all incidents involving intrusion into smaller organizations,” the report states. The largest percentage of initial access vectors specifically observed in ransomware and data exfiltration attacks against SMBs, highlighting the critical importance of securing these devices. These critical devices—including firewalls, virtual private network appliances, and other remote access systems—have become the initial point of compromise in over a quarter of confirmed business breaches, with the actual number likely much higher. Cybercriminals are exploiting these network perimeter vulnerabilities to gain unauthorized access, deploy malware, and launch devastating ransomware attacks. For example, when backup software provider Veeam released a security bulletin on CVE-2024-40711 in September 2024, cybercriminals developed an exploit within a month, pairing it with VPN-based initial access techniques. This phenomenon, referred to as “digital detritus” by Sophos CEO Joe Levy, emphasizes how obsolete and unpatched hardware and software constitute an ever-growing source of security vulnerabilities. The exploitation of network edge devices follows a consistent pattern where published vulnerabilities are rapidly weaponized by cybercriminals. In one case documented by Sophos MDR, a Citrix Netscaler gateway was used to establish initial access by exploiting sessions that weren’t reset after the “Citrix Bleed” patch deployment. The exploitation represents a concerning shift in tactics, where attackers specifically scan for and target inadequately secured infrastructure components that operate at the boundary between an organization’s internal network and the outside world. Analysis of incident data reveals that documented vulnerabilities that remained unpatched—some over a year old—played a role in nearly 15 percent of malicious intrusions tracked in 2024. In most cases, these vulnerabilities had been reported weeks or months before exploitation, often in connection with ransomware attacks.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 22 Apr 2025 13:25:08 +0000