Introduction
Cyber security is not a “set it and forget it” exercise. Risk is constantly changing – and that means security strategy must continue to evolve as well. MFA is a good example. Five years ago, it was considered a gold standard for risk reduction by insurance companies. Today, it's table stakes, effective only in conjunction with a host of other security measures which have evolved to address the shifting threat landscape.
Alton Kizziah
CEO, Beazley Security
Edge Device Exploitation: A Threat to Watch
There’s been a recent shift in how threat actors gain �access to environments.
Previous generations of attackers focused on gaining network access through endpoints like workstations and servers, using phishing emails with malicious links or weaponized docs and gaining access through stolen credentials or the installation of back doors. But, as organizations and vendors have improved endpoint security, attackers have shifted their target to include an increased focus on edge devices that may be out of date, unpatched, or otherwise vulnerable.�
Threat actors have tradionally relied on stolen credentials as the primary method for gaining access to an environment via edge devices. Although this risk is well understood, organizations still struggle to address it. There are several reasons for this. Users may recycle passwords or fail to use a password manager that enables effective use of long and strong passwords.�
Where MFA is absent, the use of weak or recycled passwords allows for brute-forcing and password spraying techniques that have compromised organizations for decades. And where it is present but configured in weaker implementations, threat actors have adapted their attack techniques to bypass MFA altogether by stealing session tokens (attacker-in-the-middle – or AiTM), deceitfully guiding users through rogue authentication processes (device code phishing), or coercing users to consent to malicious Open Authorization (oAuth) applications that look legitimate but give the threat actor access to the user’s resources.
Edge devices are systems that connect an internal network and the public internet. They are explicitly designed to be directly accessible from the internet. The most common types include firewalls, VPNs, and file transfer appliances.
What is an edge device?
Quickly identifying vulnerabilities as new risks evolve is an ever-present challenge for organizations. Without insight into how or where an edge device might be exploited next, ongoing prevention and preemptive measures are essential to self-defense.
These measures include:�
Extended detection and response (XDR) to provide �visibility into the entire attack surface
Robust vulnerability management and patching to �ensure devices are protected
Other defense in depth controls to prevent attackers �from moving around within the network undetected �and expanding on their foothold
Learn more about best practices here
Faster exploitation of newly released vulnerabilities has elevated edge device concerns. As soon as a new exposure is made public, large numbers of threat actors will mobilize to exploit it. �Using commonly available tools, they can easily scan for �Internet-facing devices that may be vulnerable. Once they gain �initial access to an environment through the edge device vulnerability (sometimes in as little as 8 hours after becoming �aware of the vulnerability), they can either maintain persistent �access or, through file hosting solutions, can immediately export �the data without compromising the environment.
Finding devices that are potentially vulnerable is easy with simple scanning tools, and testing to see if they’ve been patched is a straightforward process. This makes it a numbers game for threat actors – and the numbers are in the attackers' favor. See examples of what this looks like in practice here
Threat actors often see a high success rate from edge device access because of poorly managed credentials, but with the ease and ready availability of MFA bypass-capable phishing infrastructure, attackers can now target even organizations that have robust MFA controls in place.
MFA is most commonly circumvented using a technique called “attacker in the middle”, where a threat actor sends a phishing e-mail containing a link that facilitates and intercepts a connection between the victim and a login portal (most often Office365), This allows the threat actor to intercept session tokens and other technical secrets. Essentially, the threat actor can circumvent MFA by obtaining a legitimately authenticated session. This technique is so successful because it creates a 1:1 clone of the target login page, leaving only the phishing server URL and the information in the TLS certificate as visual giveaways of the phish.
In organizations where VPN access requires single-sign-on for authentication, a successful AiTM attack could directly lead to network access within minutes. It’s much easier, after all, to rob a house when you have the keys instead of smashing the door.
Putting the Risks in Context:
Case Studies & Data
The client operates residential treatment facilities. Following a Fortinet advisory about a 0-day vulnerability, the client had quickly alerted their IT vendor to patch affected firewalls in their network. Less than 24 hours from publication of the 0-day, the IT vendor discovered that four firewall edge devices had been compromised.
Beazley Security was engaged to investigate, contain, and eradicate the attack. Investigation determined that because a VPN was exploited, the threat actor was able to gain every username and password for the device and enter the environment. The threat actor used automatic privilege escalation to become a super user, gaining complete access and the ability to create legitimate accounts, and quickly exploited that to create many new admin and user accounts. The attacker also changed configuration rules to ease further remote access, increasing their foothold.
Merely shutting down one or two accounts would not have ensured the threat actor wouldn’t have returned. However, the client delayed in resetting credentials when the incident was first identified, taking time first to investigate the initial alert. This left the exploited organization playing whack-a-mole to try to address the issue while the threat actor moved quickly within the environment. The investigators identified the compromised accounts, removed the persistence mechanisms, and installed EDR to provide visibility and make sure no further activity from the threat actor occurred.
CASE STUDY: Patching reveals compromise
Threat actors’ shift to focus attacks on edge devices is the driving force behind Beazley Security Labs’ vulnerability research efforts.
This team closely monitors and evaluates security risks from new software vulnerabilities to issue advisories about the most pressing risks to clients. The Labs team takes a risk-based approach when releasing advisories, detailing vulnerabilities deemed most likely to lead to a damaging cyber incident for Beazley clients.
On average, 40 to 50 vulnerabilities are flagged each �week, and whittling these down to identify those most significant to Beazley clients is central to the value the Labs team brings.
Our expert Labs team reviews each new vulnerability to assess the likelihood of exploitation, the ease of abuse, and the potential damage a threat actor could achieve.
Our team then leverages our visibility into external-facing systems of the Beazley insured client base to determine the percentage of organizations that may be impacted and issues advisories based on the ease of exploitation, the number of devices we see exposed on client perimeters, and the impact threat actors could have. Owing to this careful screening process, clients can be confident that they must immediately respond to any vulnerability that merits an advisory.
Even though vulnerabilities may not be easy for low-skilled attackers to exploit, ransomware groups are often able to hire experts to create working exploits once the vulnerabilities are publicly disclosed.
The workflow
What CISOs Should Know: �Best Practices and Technical Solutions
When assessing the risk of exploited vulnerabilities, it’s important to identify how the exploit may or may not be applicable to your organization
This starts with determining whether the vulnerable software or device is visible from the Internet and exploitable in your environment. However, it's important to note that even if a vulnerability does not appear to be exploitable in your environment today, this is not a guarantee that it won’t be exploitable in the future. Suppliers continually enhance their products by adding new features and updating software, which can lead to new vulnerabilities, so a robust vulnerability management and patching process is a must.
Edge devices, such as VPN gateways or file transfer systems, are visible on the Internet and need to be exposed by design, but segmentation best practices can help reduce this risk. A good starting point for this is a review of your segmentation policies: Are they supported by the correct data? Have you identified and classified what assets are considered critical? Do you have updated network mapping and data flows documented?
First, these devices become another point that attackers can scan and attack, and they can provide valuable information to help attackers identify the device.
Additionally, if management consoles are visible from the Internet, attackers can typically test stolen passwords against them to gain entry.
As a general rule, it’s considered best practice to limit the number of services exposed to the Internet. However, some degree of exposure is often unavoidable, making hardening of Internet-exposed services essential. Most companies that make appliances with management consoles typically provide hardening guidance. This may include limiting access to the management console to a single IP address or an administrative subnet of IPs that can make changes.
There are two problems created by �having management consoles for �exposed edge devices.
Organizations can’t solely rely on one security control – �a defense in depth strategy is essential to protect the environment as a whole.
When we're talking about defense in depth, multiple layers, multiple controls, and multiple protocols need to be evaluated. It’s not enough to simply buy a product, install it, and hope not to get hacked – nor is it sufficient to just patch and hope for the best. Organizations need to be adapting to the cyber threat landscape as it evolves to detect and respond to threats. ��A comprehensive defense in depth program will include:�
Vulnerability scanning and patching processes
EDR that’s deployed everywhere and is configured �to actively block threats
MDR SOC monitoring alerts and investigating them
Locked access to lateral movement to slow threat actors down
Identity and Access Management (IAM)
In addition, there are some best practices specific to certain industries.
Financial Services
Deploy transaction and behavior monitoring to detect fraudulent and unusual account activity.� �
Conduct regular vulnerability scanning and patching to monitor for out-of-date software; ensure compensating controls are implemented around legacy devices that are no longer supported� �
Monitor and review third-party systems (such as core providers) to ensure they are patching and deploying up to date systems.� �
Implement micro-segmentation and limited access to legacy systems.� �
Monitor and log legacy applications/systems.� �
Utilize Strong Customer Authentication (SCA) as additional verification for transactions.� �
Ensure financial data is encrypted in transit and at rest.� �
Limit API exposure – APIs should follow strict authentication and monitoring protocols.
Healthcare
Technology
SaaS Companies
Manufacturing & Industrial
Healthcare organizations, including hospitals, clinics, and healthcare providers that need to protect patient data and comply with regulations like HIPAA (Health Insurance Portability and Accountability Act) and HITECH, are also advised to:
Technology companies, including software developers and IT service providers, require strong cybersecurity measures to protect intellectual property and customer data. �The following are best practices for this industry:
Manufacturing and industrial companies that rely on operational technology (OT) and industrial control systems (ICS) are increasingly targeted by cyber threats. These organizations are well advised to:
For software-as-a-service (SaaS) companies that handle sensitive customer data and need to ensure their security posture is strong, best practices should include:
General best practices for preventing stolen credential exploitation that every organization should follow include:
Incident response is not a linear process. We go forward and backward as we obtain new information, analyze it, and draw conclusions. The IR process includes these steps:
When you suspect a VPN has been compromised: the IR lifecycle
Searching for vulnerabilities that might have allowed access to your network
Ensuring logs are retained for 60 or 90 days so the incident can be investigated
Auditing user and admin accounts, which a threat actor often immediately starts creating after gaining access to ensure persistence
Monitoring for suspicious user behavior or admin activity, such as logins from unusual IP addresses or unexpected times
Resetting credentials for accounts known to be compromised or that could have been compromised
Dr. Mohibi Hussain
Director, Global Advisory Services, Beazley Security
“With the decrease in time to exploit, there's a much more finite delta between an organization’s compliance policies, their patch management schedules, and the ease of a threat actor to achieve those actions on objective. Consistent monitoring of the environment and a faster, effective patch management system is crucial.”
To Learn More
Enforce MFA
Passwordless authentication
Role-based and just-in-time access
Identity protection policies (Sign in Risk) (if applicable)
Monitor for credential leaks
Limit use to only modern authentication methods and �block legacy authentication methods
Credential Security
Enforce strong password policies
Use privileged access management (PAM)
Adaptive authentication
Audit and monitor log in attempts
Block access from breached credentials
Endpoint and Network Security
Continuous monitoring and anomaly detection
Network segmentation
Enforcement of device security policies
Enable geofencing and IP restrictions
Automate session timeouts and reauthentication
Francisco Donoso
Chief Product and Technology Officer, Beazley Security
“The trend is now shifting to encompass faster exploitation of exploits or vulnerabilities. Threat actors are watching closely for developers, manufacturers, and vendors to publicize a vulnerability, and then they pounce on the opportunity.”
Recently released advisories can always be found on our website, beazley.security/alerts-advisories
CASE STUDY: Exploitation of stolen VPN credentials �shuts down manufacturing
The client is a building supply manufacturer operating more than 10 different facilities, with manufacturing, warehouse, and shipping departments. On the first morning, the client received notice from their security provider about a potential incident affecting several locations. The client noticed lateral movement within its systems, discovered that its VMware hosts were shut down, and found a note from the Ransomhub threat actor.
Beazley Security was engaged for the forensic investigation and data restoration. Investigation determined the threat actor had leveraged valid credentials for three different accounts to access the VPN. Upon gaining access, the threat actor used SSO to access the VMware console, launched malware to kill EDR agents, encrypted four virtual servers as well as endpoints, and exfiltrated more than 200GB of data.
Even though the client had good backups, full recovery took more than two weeks, and delays in their ability to manufacture and fulfill orders led to significant losses in their profit margin. Data mining was required for the stolen data, and incident response counsel facilitated notice to more than 2,200 individuals, as well as regulators.
Credit unions, local banks, and insurance companies that handle sensitive financial data are prime targets for cyberattacks. In addition to the above best practices, financial services organizations should:
Secure electronic health records (EHRs) by encrypting patient data in transit and at rest.�
Monitor third party vendors by ensuring they comply with healthcare security standards.�
Implement medical device security by isolating IoT medical devices.�
Conduct regular patching and vulnerability scanning to continuously scan for outdated software.�
Train staff in phishing and social engineering tactics and ensure users follow best practices around shoulder surfing, password management and unattended computers.
Enforce secure software development lifecycle (SDLC) by using secure coding practice and by conducting frequent security testing.�
Facilitate application of DevSecOps by integrating security testing within a continuous integration/continuous deployment (CI/CD) pipelines.�
Scan for open-source vulnerabilities assessing dependencies for security flaws.
Monitor cloud security to make sure cloud environments are configured securely.
Perform assessment of applications and internal external network to monitor for out-of-date software/operating systems.
Segment IT & OT networks to prevent lateral movement form between industrial control systems and corporate IT.�
Monitor industrial IoT devices to secure legacy and smart factory equipment.�
Patch management for legacy systems, including implementation of compensating controls for unsupported legacy devices.�
Ensure physical security controls restrict unauthorized access to industrial systems.
Tenant isolation in multi-tenant environments to discourage data leakage between tenants.�
Security configuration management (SCM) to continuously enforce secure settings in the cloud.� �
Attribute-based access control (ABAC) to limit data access permissions.� �
Runtime application self-protection (RASP) to monitor and prevent in-application attacks.
Our teams constantly adapt as tactics evolve, identifying potential risks that could disrupt operations or compromise sensitive data and pinpointing strategies to mitigate those vulnerabilities – and the ability to share these experiences proactively with clients is key to the Beazley Security value proposition. This is why I’m so excited to introduce our new Cyber Risk | In Focus series. Part explainer, part analysis, and part data resource, these reports are designed to dig deep into emerging trends as they’re unfolding and help you make informed decisions about your cyber defenses.
Cyber resilience is not just a defense strategy; it’s also a business enabler, keeping systems and organizations resilient in the face of cyber threats. We’re already seeing how different the conversations look when real world data – from Beazley’s underwriting and claims teams and from our own security and research teams – is used to make risk decisions. We are stronger together and so, by extension, are the organizations that trust us to cover their full spectrum of cybersecurity needs.
So, let’s dive in. Today, we’re taking a preemptive look at edge device exploitation, including how the faster exploitation of newly released vulnerabilities is impacting organizational risk. Read on to learn what this could mean for your businesses and what you can do preemptively to protect your environment.
Edge Device Exploitation:
The accelerating timeline
Cyber Risk | In Focus
Edge Device Exploitation:�A Threat to Watch
Putting the Risks in Context: Case Studies & Data
What CISOs Should Know: �Best Practices and Technical Solutions
To Learn More
At Beazley Security, we’re here to help you navigate today’s complex cyber threat landscape with confidence. �If you’d like to learn more about how our services can safeguard your business, contact us today.
© 2025 Beazley Security
beazley.security
Ready to Strengthen Your Security?
Distinctive cyber security expertise reinforced �by proven performance in risk mitigation to power your resilience.
Relentless Innovation.
For today’s landscape, that means understanding how edge device vulnerabilities may be exploited – and which measures are most effective in protecting against the resulting risks. For the future, it also means having the resources and tools in place to monitor trends and act quickly on new fact-based recommendations
As long as threat actors can leverage edge device vulnerabilities to gain access to systems, they will undoubtedly continue to do so. But they won’t stop there – and neither should you.
Ongoing education is a key component of preemptive cyber security. In a world where threat actors regularly change and refine their tactics, ensuring that your organization is ready for anything requires a continued commitment to staying abreast of the latest trends.
There are times that Beazley Security Labs may issue an advisory for systems that are not typically internet-facing but could be at risk, e.g., the popular backup solution Veeam, which is often targeted by threat actors during ransomware attacks.
In a scenario like this, we may issue an advisory to Beazley Security MDR clients for better defense in depth and post the advisory on our website. Undertaking a risk-based approach in addressing vulnerabilities transitions the risk from technical to enterprise, wholly reducing the operational risk.
Primary cause of loss
Average across all industries
Retail
Professional services & associations
Manufacturing & distribution
Non-profit
Government
Business services
Education
Financial institutions
Healthcare
Other industries
Average across all industries
Retail
Professional services & associations
Manufacturing & distribution
Non-profit
Government
Business services
Education
Financial institutions
Healthcare
Other industries
Managed Detection and Response: MITRE ATT&CK distribution in Q1
During Q1, Beazley Security MDR teams responded to a breadth of incidents across client environments. Throughout this reporting period, most response activity was focused around early and mid stages of attack kill chain, reflecting a strong emphasis on threat actor’s attempts to perform reconnaissance and continuous attempts to move laterally within target environments. The monitored activity is consistent with opportunistic, automated campaigns conducted by attackers attempting to abuse initial access methods to quickly expand existing footholds. But we increasingly see attempts at initial compromise through the usage of infostealers enabled through malicious phishing link or downloads.
Data exfiltration
Soon after the resurgence of ransomware about six years ago, threat actors started using access to compromised networks not only to encrypt data, but to exfiltrate it. That gave them two additional pressure points for their ransom demands, the threat to expose stolen data and, later, the use of that data to target employees or customers of the victim organization to heighten the pressure. As we’d predicted, data exfiltration is now inevitable in cyber extortion incidents, with 100% of ransomware incidents in Q4 featuring data exfil.
Business Email Compromise
Professional services firms, including law firms and others involved in real estate and financial transactions, continue to be targeted by threat actors to divert and steal funds, and they experience the highest number of these incidents. But Government, Business Services, and Education have started to see a higher volume of BEC attacks.
Vendor Service Interruption
Third-party risks can spread across all industries, for instance when threat actors exploit commonly used software or tools such as in the Hafnium incident involving Microsoft Exchange Server in 2021, but as the chart shows, they can also significantly impact specific industries. The compromise in 2020 of Blackbaud, a commonly used fundraising and administrative platform for non-profits, had outsized impacts in non-profits and education. Service providers for financial services were targeted in 2023, leading to a spike for financial institutions. And in Q1, a data breach in late December 2024 of the PowerSchool platform used by many schools led to hundreds of downstream notifications.
�
Vulnerability trends in Q1 2025
12,066
New CVEs published by NIST
CVEs added to CISA KEV
45
Critical 0-Day advisories published by Beazley Security Labs
8
+8.69%
Change from Q4
Change from Q4
+22%
Change from Q4
+60%
Cyber activity - by the numbers: Q1 2025
Beazley Security, working with Beazley Insurance and our partners, have tracked cyber activities for more than five years. See here how the first quarter in 2025 stacks up. Feel free to reach out to discuss how these may impact your organization.
Click on specific industries to see how their annual incident profile differs from the average. System intrusion risks are much more common in Manufacturing, for instance, where organizations may hold less personal data; Education, in contrast, shows the outsized effects of significant vendor incidents in certain years.
Edge Device Exploitation:
The accelerating timeline
Cyber Risk | In Focus
At Beazley Security, we’re here to help you navigate today’s complex cyber threat landscape with confidence. If you’d like to learn more about how our services can safeguard your business, contact us today.
© 2025 Beazley Security
beazley.security
Ready to Strengthen Your Security?
Distinctive cyber security expertise reinforced by proven performance in risk mitigation to power your resilience.
Relentless Innovation.
Introduction
Edge Device Exploitation:�A Threat to Watch
Putting the Risks in Context: Case Studies & Data
What CISOs Should Know: �Best Practices and Technical Solutions
To Learn More
Dive deeper into these numbers on our insights page
Learn about Beazley Security's Advanced MDR solution
Dive deeper into these numbers on our insights page
DE
FR
Deutsch
French