January 13, 2016 By Lyndon Sutherland 3 min read

2015 was a very interesting year. As you likely recall, 2014 was considered by many to be the year of the data breach. 2015 saw plenty of action, but nothing like the huge retail point-of-sale (POS) breaches we saw in late 2013 and early 2014. This past year, by contrast, we witnessed the health care industry — formerly on the sidelines of the cyber war — become a prime target. In fact, five of the eight largest health care security breaches of the last five years happened during the first six months of 2015.

Breaches of Note in 2015

There were also some breaches of significance not due to the number of users affected, but for their ongoing ramifications. One example is the breach of the U.S. Office of Personnel Management (OPM). Over time, the number of people who might have been affected by the breach grew to more than 22 million, The Washington Post reported. It is not just the number of users but the depth of the information the attackers obtained through the breach that is of concern. The compromised information may have included detailed data from security clearance and background checks, even fingerprints.

Then there was the breach of the company Hacking Team, which creates and sells surveillance software. This not only provided information on the company and its customers (which included governments), but also unleashed multiple zero-day exploits for Adobe Flash Player on the world, Trend Micro reported. They appear to have been created by the company for use in its offensive software products.

Then there’s the infamous Ashley Madison breach, which was of great public interest simply due to the site’s purpose. The details of more than 30 million users were obtained by the attackers and then published online, creating more than a little discomfort for many users who would probably have preferred their information remained private.

Due to the nature of the Ashley Madison site and the information, there were also attempts to extort money from victims of the data breach by claiming the details could be removed for a fee or threatening to forward the user information to third parties unless the extortionist was paid.

Ransomware and Other Attack Vectors Grow

Speaking of extortion, 2015 also saw significant extortion-related activity. Ransomware such as Cryptowall had a big year, possibly due to exploit kits that reduced the level of skill required by an attacker to carry out such an attack. There was also an increase in the use of threats such as distributed denial-of-service (DDoS) attacks to extort money from victims. At the beginning of 2015, the name DD4BC was perhaps most commonly connected with these attacks.

But as the year progressed, a new name — Armada Collective — emerged as the one most associated with DDoS attacks. The basic attack methodology remains the same, but there is a variance in the delivery mechanisms and content of the threatening messages that use the Armada Collective name. The attacks have been targeting financial institutions and are not limited to a single geography. This suggests that there may be multiple entities operating under a single moniker.

Vulnerabilities Led to Attacks

Last year, when we looked at vulnerabilities through 2014, it was easy to pick two as the year’s most significant: Heartbleed and Shellshock. While there was no shortage of vulnerabilities in 2015, we didn’t see any on that level. However, one product stood out this year: the ubiquitous Adobe Flash Player.

In December alone, Adobe patched almost 100 vulnerabilities in Flash. While Adobe is responsive and provides fixes promptly for vulnerabilities brought to its attention, it is not uncommon for flaws to be discovered only when they’re being exploited in the wild.

Of course, vulnerabilities can lead to malware, and 2015 had a lot of activity from malware used to commit financial crimes. We shouldn’t forget the age-old spam and scam issues. What changed through 2015 with these threats? Well, not a lot, really — there was more evolution and refinement. Attachments and links in emails are still utilized by attackers to infect systems or direct victims to malicious URLs. Spear phishing remains one of the more successful vectors used to breach companies.

Advice for 2016

You’ve probably read plenty of articles providing predictions for the cybersecurity landscape in 2016. Rather than attempt to predict the future, I’d prefer to offer some simple advice to help protect you from current and future threats:

  • As Adobe Flash demonstrated, patching is of utmost importance to stay secure. Yes, there will often be lag time between the discovery of a vulnerability and its being fixed in an update, but keeping operating systems and applications (including on mobile devices) up to date will go a long, long way toward keeping you safe from exploitation.
  • Keeping antivirus software and signatures updated is a must.
  • User training in the dangers of emails and links can help prevent a spear phishing attack from being successful.

Sounds easy, doesn’t it? But these simple steps truly can be the difference between investigating an alert versus investigating a breach.

Read the latest threat reports from the IBM Managed Security Services Threat Research Group

More from X-Force

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today