Small and midsized businesses (SMBs) remain prime targets for cybercriminals, particularly as attackers increasingly exploit network edge devices to gain unauthorized access, escalate privileges, and deploy ransomware.
Sophos’ threat intelligence data from 2024 underscores a persistent trend: over a quarter of initial compromises among SMBs stemmed from the exploitation of firewalls, VPN appliances, and remote-access devices collectively known as network edge devices.
The real figure may be even higher, given the covert nature of many intrusions.
Spike in Attacks Exploiting Vulnerable Remote Access Devices Fuels Ransomware Surge
Despite a marginal year-over-year decline in the number of ransomware incidents, the financial and operational impact has grown, especially for organizations with between 500 and 5,000 employees.
Ransomware accounted for a staggering 90% of all incident response cases involving midsize SMBs in 2024.
Attackers leverage a blend of well-known and novel techniques, with network edge device vulnerabilities playing a central role in their playbooks.
A core element of these attacks is the rapid weaponization of recently disclosed vulnerabilities.
For example, soon after the September 2024 publication of CVE-2024-40711 affecting Veeam backup software, malicious actors began exploiting the flaw often in tandem with compromised VPN credentials to gain initial access.
Devices with unpatched software or outdated firmware, or those configured with weak credential policies, are especially vulnerable.
Even when organizations act on security advisories, attackers may persist via web shells or other footholds established before patching, or by exploiting incomplete remediation efforts.
SMBs Face Escalating Risk from Unpatched Firewalls, VPNs, and Weak MFA Implementation
Sophos incident data highlights several top vulnerabilities exploited in 2024, including authentication bypass flaws in ConnectWise ScreenConnect (CVE-2024-1709) and Citrix NetScaler (CVE-2023-4966), as well as remote code execution bugs in Veeam and Palo Alto Networks devices.
The exploitation of end-of-life or misconfigured devices beyond those covered by official CVE listings further broadens the attack surface.
Remote access appliances, especially those not hardened with robust multi-factor authentication (MFA), are often the weakest link.
Attackers increasingly bypass MFA using sophisticated adversary-in-the-middle (AitM) phishing platforms, capturing both credentials and session tokens to facilitate undetected lateral movement.
The emergence of phishing kits such as Dadsec and its derivatives, together with “quishing” tactics (QR code-based phishing), illustrates the dynamic and adaptive threat landscape.
The operational tactics of attackers are evolving as well. Ransomware deployment often occurs from unmanaged or external devices, leveraging network file shares to encrypt assets without triggering endpoint security defenses so-called “remote ransomware” attacks.
Sophos telemetry revealed a 50% year-over-year increase in such incidents in 2024.
Attackers also employ legitimate but vulnerable drivers to disable security software (“EDR killers”) and use social engineering, malvertising, and credential theft tools to maximize impact.
In light of these developments, cybersecurity experts recommend that SMBs undertake rigorous lifecycle management of all internet-facing devices, ensuring prompt patching and regular audits.
Migrating to passkeys, enforcing strong MFA, and extending endpoint protection coverage are critical defenses.
The expanding sophistication of attacker tactics demands a holistic, defense-in-depth approach one that many SMBs find difficult to manage without external support, but is now essential to mitigate the growing risks associated with edge device vulnerabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
 remain prime targets for cybercriminals, particularly as attackers increasingly exploit network edge.){kind=link}