Firewalls and VPNs in the Line of Fire: How Exploits Are Evolving

Over the past year, cybercriminal activity has shifted toward exploiting vulnerabilities found in company perimeters and infrastructure systems. Attacks are also being carried out within shorter and shorter timeframes.
According to data from Google Threat Intelligence Group (GTIG) in 2024, 44% of zero-day attacks affected enterprise-focused technologies, compared to 37% in 2023. Moreover, most of these threats targeted security and network products, such as firewalls, virtual private networks (VPNs), and devices linked to cloud services.

Why This Shift in Targets?

Perimeter security devices like VPNs, business routers, load balancers, and web application firewalls (WAFs) typically have elevated privileges, giving bad actors broad access to the network once it has been compromised. These devices also often operate outside the reach of traditional security tools such as antivirus software or even endpoint detection and response (EDR) solutions installed on endpoints. Targeting security or network systems enables attackers to compromise entire environments more effectively, offering a higher return on each developed exploit. In contrast, exploiting browsers or mobile applications usually affects only one user at a time, so the impact is smaller.

Given these developments, companies need to understand how evolving vulnerability exploitation impacts their security posture and then identify which areas they need to reinforce:

• Improved patch management: Attackers are faster and more selective. They quickly exploit critical vulnerabilities, so companies must improve their patching protocols, especially for key systems.
• Isolation when perimeter systems are under attack: Technologies like VPNs and firewalls require MFA, constant monitoring, and temporary protection (e.g., IPS rules) until patches are applied. They should also be isolated from the full control of the Active Directory.
• Audits and advanced detection: Hybrid environments increase the risk of blind spots. The connection between on-premises and cloud environments complicates visibility. It's essential to audit and generate alerts both in internal networks and the cloud so that suspicious activity can be detected effectively.

XDR: Enhancing Defense 

In an environment where threats can move across different layers, from the perimeter to the cloud, using isolated tools hinders an effective response. That’s why a unified overview is needed to correlate signals from various sources, detect attack patterns, and respond quickly. 

Extended Detection and Response (XDR) solutions integrate data from endpoints, perimeter devices, and cloud services, enhancing incident detection and speeding up response efforts. For managed service providers (MSPs), XDR also serves as a key tool to monitor multiple customer environments from a single platform. This not only enables earlier threat detection but also facilitates coordinated containment actions without relying on disconnected systems,  resulting in an elevated security posture for the customer.

If you want to learn more about XDR and how it improves organizational security, check out the following articles on our blog:

• AI in XDR: A Step Towards More Advanced Cybersecurity
• How to Choose the Right XDR Provider for Your Organization
• Leveraging XDR to Build Stronger Managed Services
• What is the Difference between XDR and SIEM?