Living on the Edge: Exploring zero-day edge device targeting from ORB networks

Living on the Edge: Exploring zero-day edge device targeting from ORB networks

Products situated on the edge of enterprise networks, particularly firewalls and enterprise SSL VPNs, are increasingly targeted by cyber threat actors. In 2024, zero-day vulnerabilities affecting a range of these products were exploited by state-sponsored actors. China is particularly active in this area. To obfuscate their operations, Chinese state-sponsored threat actors use covert, or 'ORB', networks, often proxying through many layers or hops to obfuscate both the origin and destination of traffic. We have discovered and track many of these networks, and we believe that some are also used to target edge devices with zero-day vulnerabilities.

This talk will explore recent targeting of edge products with zero-day exploits via a number of ORB networks. It will assess data trends observed through our tracking of these networks, and will present analysis using this data on the organisations targeted by this activity including those in government, critical national infrastructure and the defence industrial base. This will be followed by a look at the burgeoning offensive cyber ecosystem in China, in which exploits are funneled to the state and exchanged between organizations, ultimately showing that edge device targeting using zero-day exploits is enabled by a lifecycle that begins with vulnerability mining and internal disclosure and ends with mass exploitation.