Edge devices and ORBs: The new attack surface in cyber warfare

Cybersecurity Insights by Markus Seme, February 17, 2025

What are edge devices – and why are they so critical?

Edge devices are network-connected components positioned at the boundary between internal corporate networks and external environments such as the internet. These include:

  • Firewalls
  • Routers and SOHO routers (Small Office/Home Office)
  • VPN gateways
  • IoT devices (e.g. surveillance cameras, smart sensors)

These devices are particularly critical because they are often directly connected to the internet and serve as the first line of defense for corporate networks. The main issue is that they are frequently insufficiently patched or lack modern security features, making them a preferred target for attackers.

What are ORBs (Operational Relay Boxes)?

ORBs (Operational Relay Boxes) are anonymized network infrastructures used by cybercriminals to conceal their activities. They typically consist of compromised edge devices that function as proxy nodes within an attack network.

How ORBs work:

  • Attackers take over an edge device (e.g. a router) using a zero-day vulnerability or stolen credentials.
  • The compromised device is then integrated into an anonymous network.
  • It is then used as a springboard for further attacks or for redirect stolen data (e.g. exfiltrated corporate information).

One prominent example is the KV botnet, which uses over 40,000 compromised devices to launch large-scale cyberattacks.

Why are edge devices and ORBs a growing threat trend?

In recent years, attacks on edge devices have surged — and ORBs have become a key enabler of modern cyber operations. Three main developments are driving this trend:

1. Exploit of zero-day vulnerabilities in edge devices
In 2024, there was a wave of zero-day exploits in VPN gateways, firewalls and routers:

  • CVE-2024-24919: Allowed sensitive configuration files to be read from SSLVPN devices.
  • CVE-2024-3400: Affected Palo Alto Networks GlobalProtect VPNs, allowing unauthenticated remote code execution.

Such vulnerabilities are particularly problematic as edge devices are often difficult to patch – a reboot or update can lead to service interruptions.

2. Targeted attacks by state-sponsored actors
Nation-state groups — especially from China — have adopted edge device exploitation as part of long-term cyber espionage campaigns. These actors use compromised devices for persistent infiltration and covert monitoring:

  • Volt Typhoon: Targeted critical U.S. infrastructure using compromised SOHO routers.
  • Pacific Rim: Conducted attacks on firewalls and VPNs (e.g. Sophos, Fortinet) to enable long-term surveillance and industrial espionage.

3. Commercial cybercrime groups weaponize edge devices
In addition to state-sponsored groups, financially motivated hackers are also increasingly active:

  • Magnet Goblin: A new ransomware group specializing in zero-day exploits in VPNs & web apps.
  • TheMoon & Faceless Proxy Botnets: Cybercriminals use over 40,000 compromised end-of-life routers to conceal illegal activities.

Particularly explosive: Botnets such as Raptor Train comprise over 200,000 compromised devices that serve as DDoS infrastructure and anonymization networks.

How does this relate to OT security?

Operational technology (OT) is increasingly targeted through edge devices and ORBs — and the risks are growing:

  • ICS (Industrial Control Systems) and SCADA systems often use outdated VPNs or firewalls as access points.
  • Edge device vulnerabilities can be used to move from the IT level into OT networks.
  • Example: ArcaneDoor campaign – a long-term espionage operation targeting Cisco ASA firewalls to access industrial systems.

Many organizations lack proper segmentation between IT and OT, making edge device exploits a direct threat to production environments.

Conclusion: Protective measures against edge device and ORB attacks

To counter this growing threat, companies must rethink their cybersecurity strategies:

  • Zero trust for edge devices: No direct connections without authentication.
  • Regular patches & firmware updates: Update edge devices faster.
  • Network segmentation: Strict separation between IT and OT.
  • Advanced detection systems (EDR & XDR): Early detection of anomalies on edge devices.
  • Darknet monitoring for compromised devices: Detection of leaked credential data and leaked ORB networks.

 

About the author

Markus Seme is Managing Director of BearingPoint Austria and part of the management of BearingPoint Products. With over 15 years of experience at BearingPoint, he focuses on cybersecurity, digital resilience, and innovative security solutions. He supports companies in defending against current and emerging cyber threats.

It all starts with a conversation.

Looking to strengthen your IT security? Our cybersecurity experts are here to help.
Get in touch with us