Today we released the first edition of the 2015 IBM X-Force Threat Intelligence Quarterly, where we focus on a year-end review of all the attack and breach activity that occurred in the previous year, along with some interesting new twists to the methodology of how vulnerabilities are disclosed.

2014 Saw a Surge in the Disclosure of ‘Designer Vulns’ and Security Incidents Targeting More Than Financial Gains

If the year 2014 felt to you like a never-ending roller coaster ride of thrills and excitement within the world of Internet security, you wouldn’t be the only one. We witnessed over a billion records of personally identifiable information (PII) leaked this past year, with attackers applying creative new approaches to fundamental attack types such as SQLi, malware and DDoS.

The below graphic provides some perspective on what a billion or more records might look like when compared with population sizes. While each breached record doesn’t necessarily denote an individual user, it is still likely that a significant percentage of the Internet-connected population experienced some form of loss as a result of security incidents in 2014.

Key Themes of 2014 Security Incidents

While condensing and correlating the year’s many diverse security incidents, we found three distinctive, overarching themes:

Privacy in a Digital World

  • Sensitive photos stored on a cloud service — which in itself is not fundamentally flawed — resulted in stolen data due to weak passwords, easy-to-guess security questions and service providers’ lax policies on brute-force authentication.
  • Private email communications at a major Hollywood studio were released.

Cracks in the Foundation

  • Critical vulnerabilities disclosed across several foundational systems (operating systems, open-source libraries and content management software) resulted in many exploited websites.
  • Underlying libraries that handle cryptographic functionality on nearly every common Web platform — including Microsoft Windows, Mac OS X and Linux — were vulnerable to fairly trivial remote exploitations capable of stealing critical data.

Lack of Security Fundamentals

  • End-user password reuse
  • Leaving default passwords on admin systems
  • Poor challenge questions for password reset procedures

Recommendations

While general attack types remain consistent year to year, creative applications of these fundamental building blocks can vary greatly. Focusing on security fundamentals, such as password diligence, can provide a base level of protection that is invaluable.

‘Designer Vulns’ Changed How We Talk About Vulnerability Disclosures

We’ve long been accustomed to the naming of popular worms and exploits; even exploit kits are well-known, marketed and discussed with clever names such as “Blackhole,” “Sweet Orange,” “Nuclear” and “Neutrino,” to name just a few.

However, in 2014 we were introduced to our first taste of the “designer vuln,” a critical vulnerability that not only proved lethal for targeted attacks, but also had a cleverly branded logo, website and call name (or handle) that would forever identify the disclosure.

These designer vulns appeared within long-held foundational frameworks used by the majority of websites, and they continued throughout 2014, garnering catchy name after catchy name: Heartbleed, Shellshock, POODLE and, into 2015, Ghost and FREAK. We began to discuss vulnerability disclosures with the ease of a branded name and logo rather than boring old CVE identifiers like CVE-2014-1060.

Dynamic Testing Is Shaking the Foundation of Vulnerability Reporting and Recording the Largest Count in History

Another surprising twist in 2014 came in September, when a disclosure by a CERT/CC researcher announced an automated tool to test the security of Android applications, known as Tapioca. Using this tool, he discovered security issues in thousands of Android applications. These vulnerabilities can allow an attacker to perform man-in-the-middle (MitM) attacks against affected mobile applications.

This effort has (so far) produced literally thousands of disclosures of individual applications vulnerable to MitM attacks. In other words, these reports represent the same fundamental vulnerability affecting a wide variety of individual applications. They do not represent thousands of unique methods of attacking different applications; they represent one way of attacking thousands of applications.

X-Force cataloged more than 9,200 new security vulnerabilities affecting over 2,600 unique vendors in 2014. This number includes the roughly 1,400 Android SSL issues that have CVE IDs and does not contain the potential 20,000+ that are still being tracked in the CERT/CC vulnerability disclosure. This tabulation represents a 9.8 percent increase over 2013 and is the highest single year total in the 18-year history of X-Force.

This announcement not only changed the 2014 year-end count, but also the discussion on how disclosures should be recorded and will likely be a matter of debate by the CVE editorial board until new choices are determined.

Continuing the discussion surrounding Android application development, within the report we also review the unusual apathy mobile app developers seem to be displaying, leaving important banking applications vulnerable to critical disclosures made at the midyear for the Android version of Cordova. Despite warnings, 10 of the 17 banking applications we tracked (59 percent) were still vulnerable four months later.

Finally, to round out the year-end review, we take a historical look back at how crowd-sourced malware is creating Citadel variants and pursuing industries beyond the original financial targets.

New X-Force Interactive Security Incident Website Announced!

In response to the high capacity, volume and nature of attacks that have continually increased over time, X-Force is launching the IBM X-Force Interactive Security Incident (ISI) website to help users gain an in-depth understanding of security events in the current year, as well as a historical perspective of how things have evolved year to year.

We encourage you to visit this site often to stay up-to-date on the latest breaches and security incidents as they are confirmed by public sources.

Stay tuned for an upcoming Security Intelligence article where we’ll give some behind-the-scenes insights into this interactive data visualization.

Read all the latest research from IBM X-Force

More from Threat Research

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Defending Education from Cyber Threat Attackers

Threat actors — and particularly ransomware attackers — have education institutions in their crosshairs. From Vice Society’s September attack on schools in California to Snach’s late October assault on schools in Wisconsin, threat actors are not holding back when it comes to preying on schools. K-12 schools are the most vulnerable within the education industry, with many having only small staffs and even smaller budgets for defending against attacks. In addition, attacks have trickle-down effects on school staff, students and…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…