Attackers are increasingly targeting the very perimeter devices—firewalls, routers, IPS solutions—meant to stand guard at the network’s edge. Unfortunately, many vendors can only flag malicious flows, rather than proactively blocking them at their source. At ThreatSTOP, we believe that any solution worth its salt must do more than filter traffic; it has to actively protect your critical infrastructure.

That’s where ThreatSTOP IP Defense comes in. By centrally managing and automating Access Control Lists (ACLs) on your firewalls, routers, and other IP-based systems, we make sure known malicious IPs never even reach your network—rather than merely watching them pass by. Below are a few real-world examples that emphasize just how crucial true perimeter protection is.

 

Cyberattacks on Routers and Firewalls: Notable Incidents

UNC3886 Espionage on Juniper Routers (2024)

More recently, in mid-2024, Mandiant uncovered that the China-nexus cyber espionage group UNC3886 deployed custom backdoors on Juniper Networks’ Junos OS routers. These backdoors, based on TINYSHELL malware, were designed for long-term persistence, actively disabling logging mechanisms and injecting malicious code into legitimate processes to evade detection. The attackers exploited end-of-life Juniper hardware and software, demonstrating the critical importance of proactive patching, access controls, and automated threat intelligence.

UNC3886’s tactics reveal a growing trend: adversaries are increasingly targeting perimeter devices to gain privileged access and move laterally within networks. Unlike passive traffic filtering solutions, ThreatSTOP IP Defense actively fortifies network infrastructure by blocking known malicious IPs before they can exploit firewall, router, and IPS vulnerabilities.

For more details, see:

Mandiant Threat Intelligence Blog: Ghost in the Router – UNC3886 Targets Juniper Routers

MikroTik Router Cryptojacking Campaign (2018)

A massive cryptojacking attack compromised over 200,000 MikroTik routers to inject a Coinhive cryptocurrency miner into users’ web traffic. Attackers exploited an unauthenticated remote vulnerability in the Winbox management service (RouterOS) to gain admin access and modify web proxy settings. Initially impacting devices in Brazil, the campaign soon became a global issue. By creating persistent backdoors, the attackers demonstrated the dangers of unpatched firmware and the urgent need for robust security measures.

For more details, see:

Trustwave SpiderLabs Blog: Impatient Cryptominers – Massive Cryptojacking Campaign Targeting MikroTik Routers in Brazil

 

“Slingshot” APT via MikroTik Routers (2012–2018)

First uncovered by Kaspersky, Slingshot was a covert espionage operation that used compromised MikroTik routers to deliver a malicious DLL to administrators’ Windows PCs. When admins connected via the Winbox tool, the router secretly installed a sophisticated spyware toolkit on their machines. Operating undetected for years, Slingshot underscored how attackers can leverage perimeter devices as stealthy footholds into deeper network resources.

Read more about this discovery:

Kaspersky Securelist Blog: Slingshot – Hunting for Pegasus in the Network Jungle

 

How ThreatSTOP IP Defense Takes It Further

These high-profile router compromises highlight a critical truth: filtering alone can’t keep up with attackers targeting perimeter devices. Our IP Defense solution stands apart by:

1. Automating Threat Intelligence: We continuously update your ACLs with real-time malicious IP data derived from our ThreatSTOP Security, Intelligence, and Research team, ensuring attackers are locked out before they exploit your hardware.

2. Integrating at the Device Level: Instead of a mere traffic filter, IP Defense fully integrates into your firewall, router, or IPS system, strengthening the built-in ACL mechanism to preemptively block unwanted connections.

3. Protecting in Any Environment: From on-premises gear to cloud infrastructure, IP Defense seamlessly extends to wherever you need it, including firewalls, routers, IPS appliances, or even AWS WAF.

4. Complementing Protective DNS: While DNS Defense and DNS Defense Cloud protect your domain name system, IP Defense covers the IP layer. This dual-layered strategy gives you a unified stance against evolving threats.

 

Ready to Experience True Perimeter Protection?

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!

Connect with Customers, Disconnect from Risks