Edge Appliance Compromises Expose Persistent Access Risks in Enterprise Networks
Investigations across multiple incidents have shown attackers gaining and maintaining access through internet-facing infrastructure, including SonicWall SMA devices, Cisco AnyConnect deployments, and F5 systems. Truesec reported a persistent web shell on SonicWall SMA appliances, while separate reporting tied exploitation of CVE-2020-3259 in Cisco AnyConnect to Akira ransomware activity. The UK NCSC also confirmed a compromise affecting the F5 network, underscoring that trusted remote-access and application delivery platforms remain high-value targets for intrusion and follow-on operations.
The broader pattern mirrors earlier high-impact compromises such as SolarWinds, where trusted enterprise technology became a pathway for stealthy access, and more recent financially motivated and state-linked campaigns, including Truesec reporting on a North Korean threat actor targeting the Nordic financial sector. Together, the cases show how compromise of edge devices and trusted network infrastructure can enable persistence, credential theft, lateral movement, and downstream attacks against enterprises and critical sectors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
North Korean threat actor targets Nordic financial sector
Truesec reported that a North Korean threat actor was targeting financial-sector organizations in the Nordic region, indicating an active campaign against that sector. No earlier campaign start date is available from the provided content.
Confirmed compromise of F5 network announced
The UK National Cyber Security Centre published a notice confirming compromise of the F5 network, marking a formal public disclosure of the incident. The provided reference does not include an earlier occurrence date beyond publication.
Akira ransomware linked to exploitation of Cisco AnyConnect vulnerability
Truesec reported on Akira ransomware activity involving exploitation of Cisco AnyConnect vulnerability CVE-2020-3259, adding technical detail on the intrusion path used by the attackers. No separate incident date is stated in the reference metadata provided.
Persistent web shell identified on SonicWall SMA devices
Truesec reported identifying a persistent web shell on SonicWall SMA appliances, indicating successful compromise and attacker persistence on affected systems. No earlier event date is provided in the reference, so the publication date is used.
SolarWinds supply-chain compromise disclosed
The SolarWinds incident became publicly known as a major supply-chain compromise affecting organizations globally, prompting government and industry investigations and response efforts. The reference does not provide a more specific event date, so the publication date is used.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Cisco Anyconnect Vulnerability Analysis - Akira Ransomware - Truesec
truesec.com
Open sourcePersistent web shell identified in SonicWall SMA - Truesec
truesec.com
Open sourceSolarWinds | National Cyber Security Centre
ncsc.gov.uk
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Threat Actors Scale Attacks on Edge and Cloud Control Planes via Exposed Services and Trusted Relationships
Threat actors are increasingly targeting **network edge infrastructure**—including firewalls, routers, and VPN appliances—by exploiting critical vulnerabilities to gain durable footholds in environments where monitoring is often weaker than on endpoints. Reporting highlights a shift toward persistence mechanisms such as **device-family-specific backdoors** that can survive reboots and even firmware updates, and a growing pattern of abusing **trusted services and upstream providers** (the “**Fail-of-Trust Model**”) to pivot from compromised IT/service vendors into downstream government, military, and critical infrastructure networks. In parallel, a separate large-scale campaign tracked as **TeamPCP** (aka **PCPcat** / **ShellForce**) has been compromising **cloud environments** using automated, worm-like propagation against **misconfigured or exposed management interfaces** rather than novel exploits. Analysis cited in coverage attributes at least **60,000 compromised servers worldwide** to the operation, which scans for and abuses exposed services such as **Docker APIs**, **Kubernetes** control surfaces, **Redis**, and other cloud-adjacent interfaces, turning hijacked infrastructure into monetizable “crime bots” through industrialized exploitation of known weaknesses and misconfigurations.
Mar 21, 2026
Internet-Scale Scanning and Exploitation Pressure on Edge Network Devices (Cisco SD-WAN, SonicWall SSL VPN)
Security monitoring and reporting highlighted escalating attacker focus on internet-exposed edge infrastructure, including **active exploitation** of a maximum-severity Cisco SD-WAN flaw and **large-scale reconnaissance** against SonicWall firewalls. Cisco disclosed **CVE-2026-20127** (CVSS 10.0) affecting *Cisco Catalyst SD-WAN Controller* (vSmart) and *Catalyst SD-WAN Manager* (vManage), describing in-the-wild exploitation dating back to 2023 that enables **unauthenticated authentication bypass** leading to **administrative privileges** via crafted requests; Cisco attributes discovery to **ASD-ACSC** and tracks related activity as **UAT-8616**. Separately, GreyNoise-tracked activity showed a coordinated scanning campaign against **SonicWall SonicOS** devices using **4,000+ unique IPs** to enumerate targets—primarily probing a SonicOS **REST API endpoint** used to determine whether **SSL VPN** is enabled (a common precursor to follow-on credential attacks and exploitation). The campaign generated **84,142 scanning sessions** over a four-day window and was assessed as a continuation/escalation of similar late-2025 scanning that targeted both Palo Alto and SonicWall VPN infrastructure, reinforcing the likelihood of an impending exploitation wave against exposed and unpatched perimeter devices.
Mar 21, 2026
State-Backed Intrusions Exploit RDP, VPN, SSH, and Supply Chains for Initial Access
Russian and China-linked threat activity has relied on common but effective entry points to penetrate government, telecom, defense, energy, and other critical-sector networks. Ukrainian officials said CERT-UA recorded **5,927 cyber incidents** in 2025, a **37.4% increase** over the prior year, with Russian groups including **UAC-0002 (Sandworm)**, **UAC-0001 (APT28)**, **UAC-0010 (Gamaredon)**, and **UAC-0190 (Void Blizzard)** using exposed **RDP** services, vulnerable **VPN** appliances, supply-chain compromise, phishing, and stolen credentials to gain access. Separately, telecom intrusions tied to the China-linked cluster **UAT-9244** used exposed web applications, **ProxyLogon**, exposed **SSH** services, weak credentials, and unpatched server software to establish footholds in Linux-heavy environments. Once inside, the actors deployed a broad toolset for espionage, persistence, and disruption, including RATs, stealers, ransomware, wipers, and Linux malware such as **PeerTime**, which supports multiple architectures and uses peer-to-peer, BitTorrent-like communications to avoid reliance on centralized command-and-control. The reporting highlights exploitation of products including **Cisco ASA/AnyConnect**, **Roundcube**, **Fortinet**, **WinRAR**, **7-Zip**, and legacy Microsoft Office components, alongside social-engineering tactics such as **ClickFix**, device-code phishing, OAuth phishing, and QR-code hijacking. The campaigns also abused legitimate services and native system tools, while under-monitored embedded Linux devices, routers, edge systems, and container hosts were described as especially attractive for long-term persistence, lateral movement, scanning, and covert communications.
May 25, 2026