Security Experts:

Connect with us

Hi, what are you looking for?



Malware and DDoS Were the Most Common Attack Types in 2014: IBM

IBM today released the 2015 IBM X-Force Threat Intelligence Quarterly, a report that details the security incidents, financial malware trends, risky Android apps, and vulnerability disclosures seen in 2014.

IBM today released the 2015 IBM X-Force Threat Intelligence Quarterly, a report that details the security incidents, financial malware trends, risky Android apps, and vulnerability disclosures seen in 2014.

According to IBM, malware and distributed denial-of-service (DDoS) attacks took the lead last year in terms of volume. SQL injection attacks are still efficient when it comes to extracting valuable information from Web servers and applications, but point-of-sale (PoS) malware has also helped cybercriminals steal a lot of records in the last year.

In 2014, the most commonly attacked industries were computer services (28.7%), retail (13%), government (10.7%), education (8%), and financial markets (7.3%). A majority of the security incidents observed by the company were in the United States, which is likely a result of the country’s stringent data breach disclosure laws, IBM said. The company estimates that over 1 billion data records were leaked last year.

As far as vulnerabilities are concerned, X-Force has catalogued over 9,200 flaws affecting more than 2,600 unique vendors. This is a new record and it represents a 9.8% increase compared to the previous year. It’s worth noting that the X-Force database includes bugs that don’t have a CVE identifier.

The total number of vulnerabilities could have been below 8,000 for the first time since 2011. However, CERT/CC researches developed automated testing tools designed to verify if Android applications are vulnerable to man-in-the-middle (MitM) attacks. Over 1,000 apps have been confirmed to be vulnerable and a different CVE identifier has been assigned to each of them, despite the fact that it’s the same fundamental vulnerability.

CERT/CC is still tracking more than 20,000 potentially vulnerable applications and once the analysis is complete, the total number of vulnerabilities found in 2014 could increase to over 30,000, IBM said.

Many of the security holes disclosed last year affected foundational systems, such as operating systems, content management systems (CMS), and widely-used open source libraries. Flaws have been identified in Windows, OS X, Linux, WordPress, Joomla, Drupal, the UNIX bash shell (ShellShock), OpenSSL (Heartbleed), and SSL (POODLE).

The report has also pointed out that 2014 was a year in which numerous so-called “designer vulnerabilities” were disclosed. These flaws are not only dangerous, but they also come with a cleverly branded name and logo.

“These designer vulns appeared within long-held foundational frameworks used by the majority of websites, and they continued throughout 2014, garnering catchy name after catchy name: Heartbleed, Shellshock, POODLE and, into 2015, Ghost and FREAK,” Leslie Horacek, IBM X-Force Threat Response Manager, wrote in a blog post.

The complete 2015 IBM X-Force Threat Intelligence Quarterly is available online.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.