Verizon’s latest Data Breach Investigations Report (DBIR) reveals troubling findings about the security of perimeter devices, such as VPNs and internet-facing appliances. According to the report, less than half of the zero-day vulnerabilities exploited last year were fully patched, and it took a median of 32 days for organizations to address these issues.
These vulnerabilities, found in devices from companies like Ivanti, Fortinet, SonicWall, and Citrix, led to a 34% increase in vulnerability exploitation compared to the previous year. This made it the second-most common way that hackers gained access, just behind stolen credentials. The report highlighted that 22% of exploits targeted edge devices and VPNs, a significant increase from 3% in last year’s findings. However, despite efforts to patch these vulnerabilities, only 54% were fully remediated over the year.
These findings align with recent public reports of malware campaigns from nation-state Advanced Persistent Threat (APT) groups and ransomware gangs targeting VPN appliances, edge routers, and firewalls.
Credential abuse continued to be a major attack vector, accounting for 22% of breaches, the same as last year. Exploitation of unpatched vulnerabilities, however, increased to 20%. Data-extortion ransomware attacks were involved in 44% of the breaches studied, a sharp 37% increase from previous years. The median ransom payment also dropped from $150,000 to $115,000. Interestingly, 64% of corporate ransomware victims chose not to pay, an increase from 50% two years ago. Small and mid-sized businesses were hit hardest by ransomware, with 88% of breaches at these companies involving ransomware, compared to 39% at large enterprises.
Another concerning trend identified in the report was the rise in supply chain breaches. Hacks targeting third-party software suppliers, managed service providers (MSPs), or partner portals doubled to 30%. Verizon’s researchers found that on average, it took 94 days to remediate leaked data after it appeared in public code repositories.
The report also found that nation-state-backed APTs were responsible for 17% of the breaches, with vulnerability exploitation as the entry point 70% of the time. While cyberespionage remained the primary motive, 28% of nation-state-linked cases involved financial gain, confirming reports that some state-backed hackers are engaging in cybercrime for personal profit.
A large percentage of breaches (60%) still involved human error, such as email phishing, mis-sent data, or password reuse. The report also highlighted a growing issue with BYOD (bring-your-own-device) policies, noting that 30% of compromised endpoints were licensed enterprise devices, while almost half were unmanaged machines that stored both personal and corporate credentials, complicating corporate defense strategies.
The DBIR, which has been published annually since 2008, serves as a key indicator of how cyberattacks evolve. This year’s report analyzed over 22,000 security incidents, including 12,195 confirmed breaches.
