← Back to Daily Briefing

Russian-linked threat actor APT28 is strategically targeting network edge devices—including VPN concentrators, firewalls, and gateways—to establish persistence and bypass host-based security controls such as EDR and MFA. By exploiting vulnerabilities in unpatched or End-of-Life (EOL) firmware, APT28 implements perimeter traversal chains that remain invisible to standard endpoint monitoring. This campaign specifically targets US Federal agencies and critical infrastructure, creating high-risk entry points into Cyber-Physical Systems (CPS). Remediation is mandated via CISA advisory AA26-097A, requiring the immediate replacement or patching of unsupported edge hardware to eliminate unpatchable attack surfaces.

  • Campaign Overview: The Pivot to the Edge

    • Strategic shift from targeting endpoints to compromising the network perimeter.
    • Intentional bypass of EDR and MFA by operating within device firmware where agents cannot be installed.
    • Focus on establishing "invisible" footholds to facilitate long-term espionage.
  • Attack Vector: Firmware and EOL Exploitation

    • Targeting of unpatched and End-of-Life (EOL) firmware in VPNs, firewalls, and gateways.
    • Use of internet-wide scanning and reconnaissance to identify vulnerable perimeter assets.
    • Deployment of specific exploitation chains designed for seamless perimeter traversal.
  • Threat Actor Profile: APT28 Capabilities

    • High-sophistication Russian state-sponsored actor specializing in strategic reconnaissance.
    • Ability to maintain persistence on hardware architectures that lack modern security telemetry.
    • Capability to bridge the gap between traditional IT networks and Cyber-Physical Systems (CPS).
  • Impact and Regulatory Response

    • CISA AA26-097A mandates that federal agencies remediate or remove vulnerable edge devices.
    • Elevated systemic risk to critical infrastructure due to the prevalence of unsupported hardware.
    • Mandiant M-Trends 2025 identifies edge devices as "prime targets" for modern state-sponsored campaigns.
  • Defensive Actions and Mitigation

    • Immediate audit and decommissioning of all End-of-Life (EOL) edge hardware.
    • Implementation of rigorous network-level monitoring to detect anomalous perimeter traffic.
    • Strict adherence to CISA-mandated patching cycles for all firewall and VPN concentrator assets.

Related posts

  1. Rapid7
  2. Wiu
  3. Greynoise
  4. Centraleyes
  5. Thehackernews
  6. Govciomedia
  7. Helpnetsecurity
  8. Nexusconnect
  9. Ic3
  10. Support
  11. bleepingcomputer.com — Ivanti: Max severity Sentry flaw allows code execution as root
  12. Helpnetsecurity
  13. Thehackernews
  14. Reddit
  15. Layersevensecurity
  16. Onapsis
  17. Cert
  18. Securityaffairs
  19. Reddit
  20. Bleepingcomputer
  21. gbhackers.com — GRU-Linked APT28 Uses MooBot Botnet and Compromised EdgeRouters for Cyber Operations
  22. Medium
  23. Justice
  24. Media
  25. Fieldeffect
  26. Itnews
  27. Industrialcyber
  28. Trendmicro
  29. Cyberscoop
  30. Csa
  31. Securityaffairs
  32. Reddit
  33. Nvd
  34. Cybersecuritydive
  35. Rewterz
  36. Codekeeper
  37. Bleepingcomputer
  38. Thehackernews
  39. Secure
  40. feeds.feedburner.com — Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week
  41. Rodtrent
  42. Cybersecuritydive
  43. Arcticwolf
  44. Cyberscoop
  45. Reddit
  46. SecurityWeek — Critical Vulnerabilities Patched in Fortinet, Ivanti Products
  47. Dark Reading — Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure
  48. techjacksolutions.com — Ivanti EPMM Patch Bundle: Active RCE Exploitation (CVE-2026-6973) Plus Three Unauthenticated Attack Vectors
  49. gbhackers.com — FortiBleed Exploit Campaign Hits 70,000+ Fortinet Firewalls Worldwide

LINK COPIED TO CLIPBOARD