Year 2014 in security: looking back over one’s shoulder

2014 is over, as are the holidays. Time to look back at the business security highlights of past the year.

2014 has come and gone, along with – unfortunately – the Christmas and New Year holidays. Perhaps now would be a good time to look back on 2014 and its business security highlights, since the year was heavy with notable security events and incidents. It would probably make it into history books on cybersecurity, and it would be nice if we help write them. :-)

As a matter of fact, we published pieces on the most important highlights of the last year. Here they are:

The largest data leaks

There were quite a few: In late 2013, Target Corporation disclosed a massive leak of payment data, which was followed by similar announcements from retailers throughout 2014, especially in the US.

Neiman Marcus, Michaels Stores, UPS, and The Home Depot – all fell victim to the various strains of PoS malware. For more details read “2014: the year of retailers getting hacked over and over again.”

Then there was the Sony Pictures Entertainment hack. The criminals seem to “love” Sony: Back in 2011, hackers hit the Sony PlayStation Network, stealing massive amounts of various data – mostly due to lax security. The same thing happened with the SPE hack and the damage was, again, massive.

Windows XP – gone to stay

On April 8th, Microsoft finally dropped Windows XP support. This was long overdue as the venerable XP was 14 years old and had lots of bugs. Immediately after, Microsoft decided to release an urgent patch for Windows products family, and included Windows XP due to the severity of the problem.

As a matter of fact, Windows XP is still pretty much alive. It has a considerable user base, and its embedded variants, such as Windows Embedded POSReady 2009, are used in PoS terminals. It is still entrenched in ATMs as well.

And the bugs are still being found.


Big Bugs

This will be a peculiar chapter in the aforementioned “history books”. Most likely for the first time, major flaws discovered in widely used software began receiving their own nicknames, the same as malware and APTs. Probably a good thing, since this brings extra attention from the general public. Just compare the impression of “a critical flaw in bash” and “Shellshock bug”.

Over the year we heard about Heartbleed, then Shellshock, and by the end of the year WinShock, a less prominent – but also serious – 19-year-old bug in Windows arrived.

APTs and banking malware

A lot of APTs have been publicized this year, even if they were discovered earlier. See the list below:

Their numbers were published back in December, a couple of weeks after Kaspersky Lab launched its new interactive map dedicated to the targeted threats.

Banking malware, in turn, hit headlines regularly throughout 2014 – money-stealing Trojans become a threat that cost businesses and banks millions. Various ZeuS Trojan derivatives formed large botnets, and it took a formidable joint effort between law enforcement agencies and security vendors to bring down just one of them – Gameover ZeuS. Although it was immediately clear that it was just a matter of time before another ZeuS-based botnet would emerge.

By the end of the year a new, modular ZeuS derivative – Chthonic – drew a lot of attention.


Various encrypting and non-encrypting ransomware cost businesses dearly, with Cryptolocker becoming the most prominent threat – and probably the most profitable malware of its kind. At least some of our readers ran into it, hopefully without a lot of damage inflicted upon them.

For a more detailed overview of the 2014 threats landscape visit Securelist’s report and Kaspersky Security Bulletin 2014, available here.