The latest Verizon Data Breach Investigations Report (DBIR) landed this week with a startling statistic about the security posture of perimeter gear: barely half of the zero‑days exploited last year in VPNs and internet‑facing appliances were fully patched, and it took a median 32 days to get there.
Those weak spots, abundant in devices from Ivanti, Fortinet, SonicWall and Citrix, pushed vulnerability exploitation up 34 percent year‑over‑year, making it the second‑most common way professional hackers broke in, behind only stolen credentials.
“The percentage of edge devices and VPNs as a target on our exploitation of vulnerabilities action was 22%, and it grew almost eight-fold from the 3% found in last year’s report,” according to the DBIR.
“Organizations worked very hard to patch those edge device vulnerabilities, but our analysis showed only about 54% of those were fully remediated throughout the year.”
The findings match public reporting on waves of malware campaigns by nation-state APTs and ransomware gangs against VPN appliances, edge routers and firewalls.
Verizon’s researchers say credential abuse accounted for 22 percent of initial access (flat from last year), while exploitation of unpatched vulnerabilities climbed to 20 percent.
Data-extortion ransomware hacks appeared in 44 percent of the breaches studied, a big 37 percent jump, and the DBIR found that the median payment fell to $115,000 from $150,000.
The report noted that 64% of corporate ransomware victims refused to pay at all, up from 50 percent two years ago. The numbers diverge sharply by company size: while ransomware factored into 39 percent of breaches at large enterprises, it hit small and mid‑sized businesses in 88 percent of cases, Verizon said.
The report also called attention to data breaches that hinged on a hack of a third party software supplier, MSP or partner portal. These supply chain breaches doubled to 30 percent and Verizon investigators found a 94‑day median lag between discovery of leaked secrets in public code‑repos and remediation.
The DBIR, which compiles raw forensics data from law‑enforcement agencies, insurers, MSSPs and CERTs worldwide, found that nation state-backed APT activity accounted for 17% of breaches, with vulnerability exploitation providing the beachhead 70 percent of the time.
While cyberespionage remains the main motive, the DBIR noted that 28 percent of nation state‑linked cases aimed directly at financial gain, confirming public reports that some government hackers are moonlighting for cash.
The report also warns that a significant number of breaches (60%) still involve email phishing, mis-sent data or password reuse as humans continue to fall for cybercriminal tricks.
The report found that infostealer logs show 30 percent of compromised endpoints belonged to licensed enterprise devices, but almost half were unmanaged machines storing both personal and corporate credentials, a sign that bring‑your‑own‑device policies continue to complicate corporate defenses.
Published annually since 2008, the DBIR is treated as a barometer for how attacks unfold in practice and Verizon said this edition parsed data from more than 22,000 security incidents, including 12,195 confirmed breaches.
Related: Chinese APT Tools Found in Ransomware, Blurring Attribution Lines
Related: FBI Uses Malware ‘Self-Delete’ Trick to Erase PlugX From US Computers
Related: Chinese Cyberspy Possibly Launching Ransomware Attacks as Side Job
Related: Rapid7 Reveals RCE Path in Ivanti VPN Appliance After Silent Patch Debacle
Related: Chinese APT Pounces on Misdiagnosed RCE in Ivanti VPN Appliances
