Exploitation of vulnerabilities almost tripled as a source of data breaches last year
Attacks that relied on the exploitation of vulnerabilities as their key path to a breach leaped a remarkable 180% last year compared to the year before, driven in large measure by the sweeping MOVEit hack, according to the annual Verizon data breach report released Wednesday.
“We’re attributing that increase to the use of zero-day vulnerabilities by ransomware actors,” said Alex Pinto, who leads the Verizon team that wrote the report, referring to a kind of vulnerability that had been previously unknown. “The poster child of that, the thing that everybody was talking about last year, was the MoveIt vulnerability.”
Verizon was able to identify 1,567 breach notifications that related to the MOVEit file transfer service. By some estimates, it was the biggest attack last year and arguably the biggest ransomware attack campaign ever.
Its impact stands in stark contrast to the kind of impact Verizon expected in last year’s report from the log4j vulnerability, which spawned dire warnings at the time but ended up having a somewhat limited effect.
A possible explanation for the difference is that log4j is ubiquitous enough to have marshaled a widespread effort to counter the vulnerability ranging from mature companies on down, whereas with MOVEit, “I don’t believe that was over-represented on very mature companies,” said Pinto, associate director of threat intelligence at Verizon Business. Notably, the education sector — viewed as one of the least-equipped to fend off cyberattacks — was the sector most impacted.
That wasn’t the only conclusion of the annual encyclopedic Verizon Data Breach Report, which analyzed more than 10,000 breaches and more than 30,000 security incidents from an array of sources and collaborators. The report analyzes everything from how insider threats and user errors drive breaches to attacks broken down industry by industry.
One area that fell flat was artificial intelligence’s influence on data breaches.
“We did keep an eye out for any indications of the use of the emerging field of generative artificial intelligence (GenAI) in attacks and the potential effects of those technologies, but nothing materialized in the incident data we collected globally,” the report states. That’s perhaps due to the fact that many existing attack methods “don’t need to be more sophisticated to be successful against their targets,” the report suggests.
