IBM today released the 2015 IBM X-Force Threat Intelligence Quarterly, a report that details the security incidents, financial malware trends, risky Android apps, and vulnerability disclosures seen in 2014.
According to IBM, malware and distributed denial-of-service (DDoS) attacks took the lead last year in terms of volume. SQL injection attacks are still efficient when it comes to extracting valuable information from Web servers and applications, but point-of-sale (PoS) malware has also helped cybercriminals steal a lot of records in the last year.
In 2014, the most commonly attacked industries were computer services (28.7%), retail (13%), government (10.7%), education (8%), and financial markets (7.3%). A majority of the security incidents observed by the company were in the United States, which is likely a result of the country’s stringent data breach disclosure laws, IBM said. The company estimates that over 1 billion data records were leaked last year.
As far as vulnerabilities are concerned, X-Force has catalogued over 9,200 flaws affecting more than 2,600 unique vendors. This is a new record and it represents a 9.8% increase compared to the previous year. It’s worth noting that the X-Force database includes bugs that don’t have a CVE identifier.
The total number of vulnerabilities could have been below 8,000 for the first time since 2011. However, CERT/CC researches developed automated testing tools designed to verify if Android applications are vulnerable to man-in-the-middle (MitM) attacks. Over 1,000 apps have been confirmed to be vulnerable and a different CVE identifier has been assigned to each of them, despite the fact that it’s the same fundamental vulnerability.
CERT/CC is still tracking more than 20,000 potentially vulnerable applications and once the analysis is complete, the total number of vulnerabilities found in 2014 could increase to over 30,000, IBM said.
Many of the security holes disclosed last year affected foundational systems, such as operating systems, content management systems (CMS), and widely-used open source libraries. Flaws have been identified in Windows, OS X, Linux, WordPress, Joomla, Drupal, the UNIX bash shell (ShellShock), OpenSSL (Heartbleed), and SSL (POODLE).
The report has also pointed out that 2014 was a year in which numerous so-called “designer vulnerabilities” were disclosed. These flaws are not only dangerous, but they also come with a cleverly branded name and logo.
“These designer vulns appeared within long-held foundational frameworks used by the majority of websites, and they continued throughout 2014, garnering catchy name after catchy name: Heartbleed, Shellshock, POODLE and, into 2015, Ghost and FREAK,” Leslie Horacek, IBM X-Force Threat Response Manager, wrote in a blog post.
The complete 2015 IBM X-Force Threat Intelligence Quarterly is available online.