Verizon DBIR: Vulnerability exploitation in breaches up 180%

Vulnerability exploitation in breaches is up 180%, almost triple that of the previous year, according to Verizon's "2024 Data Breach Investigations Report."

Verizon's DBIR, published on Wednesday, is the telecom giant's annual report on data breach trends and overall cybercrime activity. This year's 100-page report touches on key themes and observations based on data gained between Nov. 1, 2022, and Oct. 31, 2023, including vulnerability exploitation, data extortion and human error.

Verizon said its researchers "witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years." Verizon wrote that this huge spike came in part from last year's enormous MoveIt Transfer campaign, which was perpetrated by an affiliate of the Clop ransomware gang, as well as other campaigns involving zero-day vulnerabilities.

According to the report, Verizon researchers tied 1,567 breach notifications to the exploitation of the MoveIt Transfer zero-day flaw. Cybersecurity vendors estimated that more than 2,000 customers worldwide might have been affected.

"This was the sort of result we were expecting in the 2023 DBIR when we analyzed the impact of the Log4j vulnerabilities. That anticipated worst case scenario discussed in the last report materialized this year with this lesser known—but widely deployed—product," the report read, citing the 2023 Verizon DBIR.

David Hylender, senior principal of threat intelligence at Verizon and DBIR team manager, told TechTarget Editorial that the spike reflected both the influence of a few key campaigns as well as a shift from ransomware gangs toward data extortion-only campaigns.

"Certainly, the number was skewed by MoveIt. There's no two ways about that. But I think the trend element is true as well, because Clop was named as responsible for MoveIt, and this vulnerability just gave them ready-made victims," Hylender said. "They don't even have to encrypt the data anymore. I would be surprised if we don't see this kind of thing continue, because it's very lucrative."

Verizon saw a slight decrease in the number of traditional ransomware attacks reported. However, when including the extortion-only, no-encryption data theft attacks, which are often conducted by ransomware actors, the number is up year-over-year. Ransomware and data extortion attacks were present in 32% of reported attacks, and 92% of industries experienced ransomware as a top threat targeting them.

Regardless of the type of attack perpetrated by ransomware gangs, Verizon researchers offered a warning to vendors like Progress Software that offer managed file transfer products. "As we gaze into our crystal ball, we wouldn't be surprised if we continue to see zero-day vulnerabilities being widely leveraged by ransomware groups," the report read. "If their preference for file transfer platforms continues, this should serve as a caution for those vendors to check their code very closely for common vulnerabilities."