2015 was a very interesting year. As you likely recall, 2014 was considered by many to be the year of the data breach. 2015 saw plenty of action, but nothing like the huge retail point-of-sale (POS) breaches we saw in late 2013 and early 2014. This past year, by contrast, we witnessed the health care industry — formerly on the sidelines of the cyber war — become a prime target. In fact, five of the eight largest health care security breaches of the last five years happened during the first six months of 2015.
Breaches of Note in 2015
There were also some breaches of significance not due to the number of users affected, but for their ongoing ramifications. One example is the breach of the U.S. Office of Personnel Management (OPM). Over time, the number of people who might have been affected by the breach grew to more than 22 million, The Washington Post reported. It is not just the number of users but the depth of the information the attackers obtained through the breach that is of concern. The compromised information may have included detailed data from security clearance and background checks, even fingerprints.
Then there was the breach of the company Hacking Team, which creates and sells surveillance software. This not only provided information on the company and its customers (which included governments), but also unleashed multiple zero-day exploits for Adobe Flash Player on the world, Trend Micro reported. They appear to have been created by the company for use in its offensive software products.
Then there’s the infamous Ashley Madison breach, which was of great public interest simply due to the site’s purpose. The details of more than 30 million users were obtained by the attackers and then published online, creating more than a little discomfort for many users who would probably have preferred their information remained private.
Due to the nature of the Ashley Madison site and the information, there were also attempts to extort money from victims of the data breach by claiming the details could be removed for a fee or threatening to forward the user information to third parties unless the extortionist was paid.
Ransomware and Other Attack Vectors Grow
Speaking of extortion, 2015 also saw significant extortion-related activity. Ransomware such as Cryptowall had a big year, possibly due to exploit kits that reduced the level of skill required by an attacker to carry out such an attack. There was also an increase in the use of threats such as distributed denial-of-service (DDoS) attacks to extort money from victims. At the beginning of 2015, the name DD4BC was perhaps most commonly connected with these attacks.
But as the year progressed, a new name — Armada Collective — emerged as the one most associated with DDoS attacks. The basic attack methodology remains the same, but there is a variance in the delivery mechanisms and content of the threatening messages that use the Armada Collective name. The attacks have been targeting financial institutions and are not limited to a single geography. This suggests that there may be multiple entities operating under a single moniker.
Vulnerabilities Led to Attacks
Last year, when we looked at vulnerabilities through 2014, it was easy to pick two as the year’s most significant: Heartbleed and Shellshock. While there was no shortage of vulnerabilities in 2015, we didn’t see any on that level. However, one product stood out this year: the ubiquitous Adobe Flash Player.
In December alone, Adobe patched almost 100 vulnerabilities in Flash. While Adobe is responsive and provides fixes promptly for vulnerabilities brought to its attention, it is not uncommon for flaws to be discovered only when they’re being exploited in the wild.
Of course, vulnerabilities can lead to malware, and 2015 had a lot of activity from malware used to commit financial crimes. We shouldn’t forget the age-old spam and scam issues. What changed through 2015 with these threats? Well, not a lot, really — there was more evolution and refinement. Attachments and links in emails are still utilized by attackers to infect systems or direct victims to malicious URLs. Spear phishing remains one of the more successful vectors used to breach companies.
Advice for 2016
You’ve probably read plenty of articles providing predictions for the cybersecurity landscape in 2016. Rather than attempt to predict the future, I’d prefer to offer some simple advice to help protect you from current and future threats:
- As Adobe Flash demonstrated, patching is of utmost importance to stay secure. Yes, there will often be lag time between the discovery of a vulnerability and its being fixed in an update, but keeping operating systems and applications (including on mobile devices) up to date will go a long, long way toward keeping you safe from exploitation.
- Keeping antivirus software and signatures updated is a must.
- User training in the dangers of emails and links can help prevent a spear phishing attack from being successful.
Sounds easy, doesn’t it? But these simple steps truly can be the difference between investigating an alert versus investigating a breach.
Read the latest threat reports from the IBM Managed Security Services Threat Research Group
Senior Threat and Intelligence Analyst, IBM X-Force