A newly released report by Sophos reveals a sophisticated multi-year APT (Advanced Persistent Threat) campaign that exploited network perimeter devices, using both new and older vulnerabilities to infiltrate high-value targets. Beginning in 2018, the campaign’s actors leveraged advanced tactics, techniques, and procedures to target internet-facing devices belonging to government and critical infrastructure entities, and other high-value targets. The campaign demonstrates that APT actors are increasingly focusing on network perimeters — especially unpatched, internet-facing devices like VPNs, routers, and other edge infrastructure — as prime entry points for further compromise.
“This campaign is a wake-up call about just how serious the threat to edge devices really is,” said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence. “Attackers are getting in through overlooked devices, deploying rootkits at the firmware level, and persisting on everything from routers to security cameras to HVAC systems and digital signage. And here’s the thing: detecting this kind of persistence today is incredibly tough. Major device platform vendors have entire teams dedicated to rooting out these threats on PCs, and it’s still a struggle. So, imagine trying to detect and defend against this level of sophistication on an embedded device like a router or a modem — almost no chance.”
At GreyNoise, we observe perimeter-focused attacker behavior across a range of vulnerabilities, both new and resurgent, providing us with a unique view of these threats as they unfold. This blog unpacks key strategic insights from the campaign, explains why network perimeter exploitation should be a top security focus, and provides actionable steps to help security teams stay one step ahead. We’ll explore some of the actively probed CVEs associated with this campaign, the ongoing risks of unpatched devices, and practical ways to mitigate exposure using real-time intelligence.
GreyNoise is proud to have contributed to Sophos’ research and we encourage you to read the full report. In an effort to aid in exposure mitigation efforts, GreyNoise is providing the following information to defenders:
- View exploit activity and actively block exploitation of the CVEs related to Pacific Rim.
- Get 14 days of free access to GreyNoise Vulnerability Prioritization Intelligence to enable active blocking against exploitation of Pacific Rim-related vulnerabilities
The APT Campaign: A Sophisticated and Stealthy Multi-Year Assault
The Sophos report details a sophisticated campaign beginning in 2018, where attackers initially targeted Cyberoam, an India-based Sophos subsidiary. Using intelligence gathered from Cyberoam, along with additional development, the attackers attempted mass exploitation to build a network of operational relay boxes (ORBs). However, after largely failing in this due to detection, they shifted tactics to remain under the radar, focusing exclusively on a small number of high-value targets. This more targeted approach enabled them to infiltrate select government agencies, critical infrastructure, and influential organizations such as embassies. This campaign underscores how APTs adapt and leverage both collected intelligence and advanced tradecraft to achieve their strategic goals.
The attackers exhibited patience and adaptability, evolving their approach from broad, indiscriminate scanning to targeted reconnaissance and exploitation. Their tactics included custom rootkits, firmware-based persistence, and sophisticated command-and-control channels, like ICMP tunneling and proxy chains, enabling long-term, stealthy access to compromised networks. This combination of large-scale scanning followed by focused exploitation demonstrates how attackers systematically identify and prioritize vulnerabilities on perimeter devices to achieve their objectives.
The Network Perimeter: An Overlooked but Critical Attack Vector
This campaign highlights how perimeter devices — including VPNs, routers, and other internet-facing systems — serve as critical points of entry for attackers. Although these devices are essential to network operations, ensuring timely patching can be challenging due to the business impact of taking these systems offline, making them attractive targets for attackers seeking to exploit this operational challenge.
GreyNoise’s data consistently shows that perimeter devices draw significant reconnaissance and scanning activity from malicious IPs probing weak points. Our real-time intelligence captures how attackers conduct broad scans across these devices, identifying which ones might be vulnerable to exploitation.
This heatmap highlights the volume of malicious IPs actively targeting high-profile systems leveraging CVEs related to the campaign, illustrating the intensity of reconnaissance and exploitation and offering critical insights for prioritizing defenses around these devices.
Security professionals should regularly audit and patch all high-profile systems that are internet-facing, especially those with widely known vulnerabilities. Leveraging IP blocklists allows security teams to intercept and block scanning activity on these endpoints, helping to prevent initial access and reduce perimeter risks.
Resurgent Vulnerabilities: The Persistent Threat of Unpatched CVEs
While newer vulnerabilities often dominate security headlines, this campaign underscores that attackers frequently exploit older vulnerabilities as well. Over 35% of the CVEs in Sophos' Database of Network Device CVEs were released before 2020, with 95% of them included in CISA’s Known Exploited Vulnerabilities (KEV) catalog — a vital resource for tracking high-risk vulnerabilities. Despite available patches, these CVEs often remain unpatched on many perimeter devices, making them easy targets for attackers.
Re-evaluate patching priorities to include older vulnerabilities that impact perimeter devices. GreyNoise’s CVE tracking provides insights into which resurgent vulnerabilities see active targeting, allowing teams to focus on high-risk vulnerabilities that are exploited repeatedly. Older vulnerabilities continue to present significant risk if left unpatched, particularly on perimeter devices.
The Role of Real-Time Reconnaissance in Understanding Exploitation Trends
According to the Sophos report, the attackers initially began their campaign with broad, indiscriminate scanning to locate vulnerable devices before refining their focus to specific, high-value targets. This phased approach demonstrates how attackers leverage large-scale reconnaissance to identify weak entry points and then shift to targeted exploitation.
GreyNoise’s real-time data on reconnaissance trends offers visibility into this broader phase, capturing which high-profile CVEs attackers are actively probing across devices. This data reveals where attackers focus their scanning efforts on the network perimeter, providing early indicators of which vulnerabilities are most at risk.
APTs Are Evolving, and the Network Perimeter Remains a Key Target
The precision and patience of this APT campaign send a clear message: perimeter devices remain prime targets, and unpatched vulnerabilities continue to offer attackers a simple path to network entry. The campaign reinforces the need for security professionals to maintain real-time visibility into these threats — both legacy CVEs and active reconnaissance of network devices.
By monitoring attacker behavior and focusing on high-risk vulnerabilities, teams can take concrete steps to strengthen their defenses against persistent, sophisticated attacks.
Supporting Your Exposure Management Efforts
We know that many organizations are working diligently to assess their exposure, analyze logs, and manage vulnerabilities following this APT campaign. To aid in this effort, GreyNoise is providing all users — both paying and free — 14 days of access to real-time exploitation data for the CVEs associated with this threat. Our goal is to help security teams stay informed and make it easier to track active exploitation.
Access the Data:
- View exploit activity and actively block exploitation of the CVEs related to Pacific Rim.
- Get 14 days of free access to GreyNoise Vulnerability Prioritization Intelligence to enable active blocking against exploitation of Pacific Rim-related vulnerabilities
- Read the documentation detailing how this feature works and how it can help you.
----
Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
.png)
