Today we released the first edition of the 2015 IBM X-Force Threat Intelligence Quarterly, where we focus on a year-end review of all the attack and breach activity that occurred in the previous year, along with some interesting new twists to the methodology of how vulnerabilities are disclosed.

2014 Saw a Surge in the Disclosure of ‘Designer Vulns’ and Security Incidents Targeting More Than Financial Gains

If the year 2014 felt to you like a never-ending roller coaster ride of thrills and excitement within the world of Internet security, you wouldn’t be the only one. We witnessed over a billion records of personally identifiable information (PII) leaked this past year, with attackers applying creative new approaches to fundamental attack types such as SQLi, malware and DDoS.

The below graphic provides some perspective on what a billion or more records might look like when compared with population sizes. While each breached record doesn’t necessarily denote an individual user, it is still likely that a significant percentage of the Internet-connected population experienced some form of loss as a result of security incidents in 2014.

Key Themes of 2014 Security Incidents

While condensing and correlating the year’s many diverse security incidents, we found three distinctive, overarching themes:

Privacy in a Digital World

  • Sensitive photos stored on a cloud service — which in itself is not fundamentally flawed — resulted in stolen data due to weak passwords, easy-to-guess security questions and service providers’ lax policies on brute-force authentication.
  • Private email communications at a major Hollywood studio were released.

Cracks in the Foundation

  • Critical vulnerabilities disclosed across several foundational systems (operating systems, open-source libraries and content management software) resulted in many exploited websites.
  • Underlying libraries that handle cryptographic functionality on nearly every common Web platform — including Microsoft Windows, Mac OS X and Linux — were vulnerable to fairly trivial remote exploitations capable of stealing critical data.

Lack of Security Fundamentals

  • End-user password reuse
  • Leaving default passwords on admin systems
  • Poor challenge questions for password reset procedures


While general attack types remain consistent year to year, creative applications of these fundamental building blocks can vary greatly. Focusing on security fundamentals, such as password diligence, can provide a base level of protection that is invaluable.

‘Designer Vulns’ Changed How We Talk About Vulnerability Disclosures

We’ve long been accustomed to the naming of popular worms and exploits; even exploit kits are well-known, marketed and discussed with clever names such as “Blackhole,” “Sweet Orange,” “Nuclear” and “Neutrino,” to name just a few.

However, in 2014 we were introduced to our first taste of the “designer vuln,” a critical vulnerability that not only proved lethal for targeted attacks, but also had a cleverly branded logo, website and call name (or handle) that would forever identify the disclosure.

These designer vulns appeared within long-held foundational frameworks used by the majority of websites, and they continued throughout 2014, garnering catchy name after catchy name: Heartbleed, Shellshock, POODLE and, into 2015, Ghost and FREAK. We began to discuss vulnerability disclosures with the ease of a branded name and logo rather than boring old CVE identifiers like CVE-2014-1060.

Dynamic Testing Is Shaking the Foundation of Vulnerability Reporting and Recording the Largest Count in History

Another surprising twist in 2014 came in September, when a disclosure by a CERT/CC researcher announced an automated tool to test the security of Android applications, known as Tapioca. Using this tool, he discovered security issues in thousands of Android applications. These vulnerabilities can allow an attacker to perform man-in-the-middle (MitM) attacks against affected mobile applications.

This effort has (so far) produced literally thousands of disclosures of individual applications vulnerable to MitM attacks. In other words, these reports represent the same fundamental vulnerability affecting a wide variety of individual applications. They do not represent thousands of unique methods of attacking different applications; they represent one way of attacking thousands of applications.

X-Force cataloged more than 9,200 new security vulnerabilities affecting over 2,600 unique vendors in 2014. This number includes the roughly 1,400 Android SSL issues that have CVE IDs and does not contain the potential 20,000+ that are still being tracked in the CERT/CC vulnerability disclosure. This tabulation represents a 9.8 percent increase over 2013 and is the highest single year total in the 18-year history of X-Force.

This announcement not only changed the 2014 year-end count, but also the discussion on how disclosures should be recorded and will likely be a matter of debate by the CVE editorial board until new choices are determined.

Continuing the discussion surrounding Android application development, within the report we also review the unusual apathy mobile app developers seem to be displaying, leaving important banking applications vulnerable to critical disclosures made at the midyear for the Android version of Cordova. Despite warnings, 10 of the 17 banking applications we tracked (59 percent) were still vulnerable four months later.

Finally, to round out the year-end review, we take a historical look back at how crowd-sourced malware is creating Citadel variants and pursuing industries beyond the original financial targets.

New X-Force Interactive Security Incident Website Announced!

In response to the high capacity, volume and nature of attacks that have continually increased over time, X-Force is launching the IBM X-Force Interactive Security Incident (ISI) website to help users gain an in-depth understanding of security events in the current year, as well as a historical perspective of how things have evolved year to year.

We encourage you to visit this site often to stay up-to-date on the latest breaches and security incidents as they are confirmed by public sources.

Stay tuned for an upcoming Security Intelligence article where we’ll give some behind-the-scenes insights into this interactive data visualization.

Read all the latest research from IBM X-Force

More from Threat Research

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

Your private information is probably being sold on the dark web. How can criminals use it?

18 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Late last year, a well-known ride share app and a gaming company were hacked using well-crafted social engineering attacks. Many organizations think they’re safe from attacks by employing top-of-the-line security practices, tools and systems. Those will help deter many types of attacks, but social engineering is a stealthy method savvy threat actors can use to circumvent those measures. And they obviously do it successfully. Social engineering involves…

18 min read