New findings from Hewlett Packard Enterprise (HPE) show that cybergangs like Akira are diligently doing their market research on VPN technologies to identify weak entry points before launching attacks.

The research, from HPE’s “In the Wild” threat report – which combines intelligence from both HPE and its newly-acquired network security firm Juniper Networks – highlights how attackers are analyzing which VPN services are most widely used, how quickly patches are being applied, and where misconfigurations are most common.

As a case in point, the paper cites the prolific ransomware group Akira, which tends to target small and medium-sized businesses, as an example of a criminal group known to conduct extensive research into VPN vulnerabilities to plan its intrusions.

“By understanding which VPN systems a company was using, the group tailored its attack tools, which is analogous to a company conducting market research before launching a product."

HPE’s “In the Wild” threat report

And the cybercriminal’s homework paid off, the report added, “with more successful breaches and rapid deployments of ransomware once inside.”

Remote devices targeted

Rather than relying on opportunistic exploits, criminals are also prioritizing access routes that offer the highest chance of success – often targeting trusted remote access systems that can open the door to corporate networks.

That focus extends beyond VPNs to the wider network edge, where devices such as VPN gateways, firewalls, and remote access appliances are becoming prime targets.

These systems , which sit at the periphery of a work or home office network and combine high privileges with internet access, are offering what researchers describe as “a direct route in.”

The report highlights the scale of this targeting. Researchers observed more than 4,700 remote code execution attempts against digital video recorders (DVRs), along with 3,500 attempts exploiting Huawei routers.

The finding also highlight how attackers are exploiting a wide range of internet-connected devices, including those often overlooked in security strategies.

More than 2,700 exploit attempts targeted network-connected printers, for instance, as well as devices running on Realtek, which is commonly embedded in routers and IoT hardware.

HPE points out that attacks often succeed through compromised consumer devices (hijacking home-office routers or using personal gadgets as stepping stones).

As a result, these attacks fostered “an interconnected threat landscape from household networks up to critical systems.”

Attackers running campaigns via the Seychelles

The report also uncovered a geographical dimension to the criminal operations, which they said were becoming highly organized, enterprise-level operations pursuing high-value targets for significant financial gain.

Researchers noted that infrastructure across the Seychelles appeared in multiple campaigns. The small African country with a population of just over 120,000 stood out alongside larger nations such as the US, China, the UK, and Russia.

While not necessarily the physical location of the attackers, HPE noted that such regions can provide “reduced scrutiny and great anonymity for malicious infrastructure,” making them attractive bases for carrying out operations.

“In the case of the Seychelles, the surge in attacker IPs is linked to bulletproof hosting services operating there. These providers exploit jurisdictional loopholes – with servers offshore and enforcement difficulties – and offer criminals a safe haven,” the report added.

---

Unlock more exclusive Cybernews content on YouTube.