Network Edge Devices the Biggest Entry Point for Attacks on SMBs

Compromised network edge devices accounted for initial compromise in 30% of incidents impacting small and medium-sized businesses (SMBs) in 2024.

These devices, which include VPN appliances, firewalls and other remote access appliances, collectively made up the largest single source of initial compromise of networks in intrusions tracked by Sophos Managed Detection and Response (MDR).

VPN exploitation alone was the most frequent compromise point across all cases, at 19%.

Additionally, VPN devices were targeted for initial access in 25% of ransomware and data exfiltration events last year.

Network edge devices often do not support security tools like EDR, making them a tempting target for threat actors.

During the Google Cloud Next 2025 conference, Sandra Joyce, VP of Google Threat Intelligence, explained that attackers are targeting vulnerabilities in these devices “relentlessly” as a result.

Sophos wrote: “Lifecyle management of all systems, including Internet routers, firewalls, VPN appliances, and Internet-facing applications and servers, is an essential part of deterring a significant percentage of attacks. Devices left in service without patches or after the end of their support by vendors can act as a beacon for access brokers and ransomware actors who perform wide network scans of the Internet for vulnerable systems to attack.”

The new report also found that attackers are increasingly abusing legitimate commercial remote access tools, which were involved in 34% of incidents.

These tools are frequently used to disguise post initial exploitation activities, such as the deployment of malware and command and control tools.

The researchers noted that attackers usually abuse trial account licenses or use pirated licenses for the versions they deploy.

The most frequently abused remote access tools observed by Sophos in 2024 were PSExec, AnyDesk and ScreenConnect.

Read now: Learning from 2024: An Unprecedented Exploitation of Remote Access Technologies

Surge in Remote Ransomware Attacks

Another notable trend from the study was a rise in “remote” ransomware attacks, up by 50% in 2024 compared to 2023, and an 141% increase since 2022.

Remote ransomware attacks are conducted from unmanaged devices outside the detection range of endpoint protection software. These attacks use network file sharing connections to access and encrypt files on other machines, so the ransomware never executes on them directly.

This can conceal the encryption process from malware scans, behavioral detection and other defenses.

Overall, ransomware and data theft attacks accounted for nearly 30% of all Sophos MDR tracked incidents for SMBs, making this the largest vector.

However, the overall number of incidents in 2024 was slightly down compared to 2023, in part because of better defenses and the disruption of some major ransomware-as-a-service operators.

Evolving Social Engineering Techniques

Sophos also found that attackers are adapting their social engineering techniques to avoid detection tools and improve the efficiency of attacks. The key social engineering trends in 2024 included:

• MS Teams vishing. In the second half of 2024, the researchers observed a combination of technical and social engineering attacks targeting Microsoft Teams. This included two different groups initially sending a large volume of emails to targeted people within the organizations they attacked, followed by a technical call over Microsoft Teams to those people, using their own 365 account.
• MFA phishing. Attackers are developing new ways of capturing credentials and multifactor tokens in real time to overcome growing use of MFA. A particular trend in 2024 was the use of phishing-as-a-service platforms such as Tycoon and EvilProxy.
• Use of generative AI. Cybercriminals are increasingly using GenAI tools for various social engineering tasks. This includes creating images, videos and text for fake profiles, and for use in in communication with targets to mask language fluency issues and identity.
• Quishing attacks. Attackers are turning to the use of QR codes in phishing emails to hide malicious links and attachments, helping evade many traditional security tools.