March 16, 2015 By Leslie Horacek 4 min read

Today we released the first edition of the 2015 IBM X-Force Threat Intelligence Quarterly, where we focus on a year-end review of all the attack and breach activity that occurred in the previous year, along with some interesting new twists to the methodology of how vulnerabilities are disclosed.

2014 Saw a Surge in the Disclosure of ‘Designer Vulns’ and Security Incidents Targeting More Than Financial Gains

If the year 2014 felt to you like a never-ending roller coaster ride of thrills and excitement within the world of Internet security, you wouldn’t be the only one. We witnessed over a billion records of personally identifiable information (PII) leaked this past year, with attackers applying creative new approaches to fundamental attack types such as SQLi, malware and DDoS.

The below graphic provides some perspective on what a billion or more records might look like when compared with population sizes. While each breached record doesn’t necessarily denote an individual user, it is still likely that a significant percentage of the Internet-connected population experienced some form of loss as a result of security incidents in 2014.

Key Themes of 2014 Security Incidents

While condensing and correlating the year’s many diverse security incidents, we found three distinctive, overarching themes:

Privacy in a Digital World

  • Sensitive photos stored on a cloud service — which in itself is not fundamentally flawed — resulted in stolen data due to weak passwords, easy-to-guess security questions and service providers’ lax policies on brute-force authentication.
  • Private email communications at a major Hollywood studio were released.

Cracks in the Foundation

  • Critical vulnerabilities disclosed across several foundational systems (operating systems, open-source libraries and content management software) resulted in many exploited websites.
  • Underlying libraries that handle cryptographic functionality on nearly every common Web platform — including Microsoft Windows, Mac OS X and Linux — were vulnerable to fairly trivial remote exploitations capable of stealing critical data.

Lack of Security Fundamentals

  • End-user password reuse
  • Leaving default passwords on admin systems
  • Poor challenge questions for password reset procedures


While general attack types remain consistent year to year, creative applications of these fundamental building blocks can vary greatly. Focusing on security fundamentals, such as password diligence, can provide a base level of protection that is invaluable.

‘Designer Vulns’ Changed How We Talk About Vulnerability Disclosures

We’ve long been accustomed to the naming of popular worms and exploits; even exploit kits are well-known, marketed and discussed with clever names such as “Blackhole,” “Sweet Orange,” “Nuclear” and “Neutrino,” to name just a few.

However, in 2014 we were introduced to our first taste of the “designer vuln,” a critical vulnerability that not only proved lethal for targeted attacks, but also had a cleverly branded logo, website and call name (or handle) that would forever identify the disclosure.

These designer vulns appeared within long-held foundational frameworks used by the majority of websites, and they continued throughout 2014, garnering catchy name after catchy name: Heartbleed, Shellshock, POODLE and, into 2015, Ghost and FREAK. We began to discuss vulnerability disclosures with the ease of a branded name and logo rather than boring old CVE identifiers like CVE-2014-1060.

Dynamic Testing Is Shaking the Foundation of Vulnerability Reporting and Recording the Largest Count in History

Another surprising twist in 2014 came in September, when a disclosure by a CERT/CC researcher announced an automated tool to test the security of Android applications, known as Tapioca. Using this tool, he discovered security issues in thousands of Android applications. These vulnerabilities can allow an attacker to perform man-in-the-middle (MitM) attacks against affected mobile applications.

This effort has (so far) produced literally thousands of disclosures of individual applications vulnerable to MitM attacks. In other words, these reports represent the same fundamental vulnerability affecting a wide variety of individual applications. They do not represent thousands of unique methods of attacking different applications; they represent one way of attacking thousands of applications.

X-Force cataloged more than 9,200 new security vulnerabilities affecting over 2,600 unique vendors in 2014. This number includes the roughly 1,400 Android SSL issues that have CVE IDs and does not contain the potential 20,000+ that are still being tracked in the CERT/CC vulnerability disclosure. This tabulation represents a 9.8 percent increase over 2013 and is the highest single year total in the 18-year history of X-Force.

This announcement not only changed the 2014 year-end count, but also the discussion on how disclosures should be recorded and will likely be a matter of debate by the CVE editorial board until new choices are determined.

Continuing the discussion surrounding Android application development, within the report we also review the unusual apathy mobile app developers seem to be displaying, leaving important banking applications vulnerable to critical disclosures made at the midyear for the Android version of Cordova. Despite warnings, 10 of the 17 banking applications we tracked (59 percent) were still vulnerable four months later.

Finally, to round out the year-end review, we take a historical look back at how crowd-sourced malware is creating Citadel variants and pursuing industries beyond the original financial targets.

New X-Force Interactive Security Incident Website Announced!

In response to the high capacity, volume and nature of attacks that have continually increased over time, X-Force is launching the IBM X-Force Interactive Security Incident (ISI) website to help users gain an in-depth understanding of security events in the current year, as well as a historical perspective of how things have evolved year to year.

We encourage you to visit this site often to stay up-to-date on the latest breaches and security incidents as they are confirmed by public sources.

Stay tuned for an upcoming Security Intelligence article where we’ll give some behind-the-scenes insights into this interactive data visualization.

Read all the latest research from IBM X-Force

More from X-Force

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.Valentina Palmiotti, aka chompie, changed that. At the March 2024 competition, Palmiotti scored a full win with her discovery of an Improper Update of Reference Count bug to escalate privileges on Windows 11. It was her first time entering Pwn2Own.Pwn2Own is considered one of the most — if not the most — prestigious…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today