Today we released the first edition of the 2015 IBM X-Force Threat Intelligence Quarterly, where we focus on a year-end review of all the attack and breach activity that occurred in the previous year, along with some interesting new twists to the methodology of how vulnerabilities are disclosed.

2014 Saw a Surge in the Disclosure of ‘Designer Vulns’ and Security Incidents Targeting More Than Financial Gains

If the year 2014 felt to you like a never-ending roller coaster ride of thrills and excitement within the world of Internet security, you wouldn’t be the only one. We witnessed over a billion records of personally identifiable information (PII) leaked this past year, with attackers applying creative new approaches to fundamental attack types such as SQLi, malware and DDoS.

The below graphic provides some perspective on what a billion or more records might look like when compared with population sizes. While each breached record doesn’t necessarily denote an individual user, it is still likely that a significant percentage of the Internet-connected population experienced some form of loss as a result of security incidents in 2014.

Key Themes of 2014 Security Incidents

While condensing and correlating the year’s many diverse security incidents, we found three distinctive, overarching themes:

Privacy in a Digital World

  • Sensitive photos stored on a cloud service — which in itself is not fundamentally flawed — resulted in stolen data due to weak passwords, easy-to-guess security questions and service providers’ lax policies on brute-force authentication.
  • Private email communications at a major Hollywood studio were released.

Cracks in the Foundation

  • Critical vulnerabilities disclosed across several foundational systems (operating systems, open-source libraries and content management software) resulted in many exploited websites.
  • Underlying libraries that handle cryptographic functionality on nearly every common Web platform — including Microsoft Windows, Mac OS X and Linux — were vulnerable to fairly trivial remote exploitations capable of stealing critical data.

Lack of Security Fundamentals

  • End-user password reuse
  • Leaving default passwords on admin systems
  • Poor challenge questions for password reset procedures


While general attack types remain consistent year to year, creative applications of these fundamental building blocks can vary greatly. Focusing on security fundamentals, such as password diligence, can provide a base level of protection that is invaluable.

‘Designer Vulns’ Changed How We Talk About Vulnerability Disclosures

We’ve long been accustomed to the naming of popular worms and exploits; even exploit kits are well-known, marketed and discussed with clever names such as “Blackhole,” “Sweet Orange,” “Nuclear” and “Neutrino,” to name just a few.

However, in 2014 we were introduced to our first taste of the “designer vuln,” a critical vulnerability that not only proved lethal for targeted attacks, but also had a cleverly branded logo, website and call name (or handle) that would forever identify the disclosure.

These designer vulns appeared within long-held foundational frameworks used by the majority of websites, and they continued throughout 2014, garnering catchy name after catchy name: Heartbleed, Shellshock, POODLE and, into 2015, Ghost and FREAK. We began to discuss vulnerability disclosures with the ease of a branded name and logo rather than boring old CVE identifiers like CVE-2014-1060.

Dynamic Testing Is Shaking the Foundation of Vulnerability Reporting and Recording the Largest Count in History

Another surprising twist in 2014 came in September, when a disclosure by a CERT/CC researcher announced an automated tool to test the security of Android applications, known as Tapioca. Using this tool, he discovered security issues in thousands of Android applications. These vulnerabilities can allow an attacker to perform man-in-the-middle (MitM) attacks against affected mobile applications.

This effort has (so far) produced literally thousands of disclosures of individual applications vulnerable to MitM attacks. In other words, these reports represent the same fundamental vulnerability affecting a wide variety of individual applications. They do not represent thousands of unique methods of attacking different applications; they represent one way of attacking thousands of applications.

X-Force cataloged more than 9,200 new security vulnerabilities affecting over 2,600 unique vendors in 2014. This number includes the roughly 1,400 Android SSL issues that have CVE IDs and does not contain the potential 20,000+ that are still being tracked in the CERT/CC vulnerability disclosure. This tabulation represents a 9.8 percent increase over 2013 and is the highest single year total in the 18-year history of X-Force.

This announcement not only changed the 2014 year-end count, but also the discussion on how disclosures should be recorded and will likely be a matter of debate by the CVE editorial board until new choices are determined.

Continuing the discussion surrounding Android application development, within the report we also review the unusual apathy mobile app developers seem to be displaying, leaving important banking applications vulnerable to critical disclosures made at the midyear for the Android version of Cordova. Despite warnings, 10 of the 17 banking applications we tracked (59 percent) were still vulnerable four months later.

Finally, to round out the year-end review, we take a historical look back at how crowd-sourced malware is creating Citadel variants and pursuing industries beyond the original financial targets.

New X-Force Interactive Security Incident Website Announced!

In response to the high capacity, volume and nature of attacks that have continually increased over time, X-Force is launching the IBM X-Force Interactive Security Incident (ISI) website to help users gain an in-depth understanding of security events in the current year, as well as a historical perspective of how things have evolved year to year.

We encourage you to visit this site often to stay up-to-date on the latest breaches and security incidents as they are confirmed by public sources.

Stay tuned for an upcoming Security Intelligence article where we’ll give some behind-the-scenes insights into this interactive data visualization.

Read all the latest research from IBM X-Force

More from Threat Research

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…