Malicious actors on the Internet know the value of the service. In its Digital Threats Report for the first half of 2024, published Tuesday, the global artificial intelligence-powered cybersecurity company found that many common threats deployed during this period made extensive use of malware-as-a-service (MaaS) tools.The DarkTrace report, based on data analysis across all of the company’s customer deployments, argued that the growing popularity of MaaS is driven by the MaaS ecosystem’s lucrative subscription-based revenue, as well as low barriers to entry and high demand.By offering pre-packaged malware with plug-and-play functionality, the MaaS market has enabled even inexperienced attackers to launch potentially devastating attacks regardless of skill level or technical capabilities, the report found.The report predicts that MaaS will remain a dominant part of the threat landscape for the foreseeable future. This persistence highlights the adaptive nature of MaaS strains, which can change their tactics, strategies and procedures (TTPs) from one campaign to the next and bypass traditional security tools, it notes.”The demand for more powerful attack tools, creating challenges for cybersecurity professionals and improving defense strategies is expected to increase the sophistication of malware-as-a-service services,” said Kelly Guenther, senior manager of cyber threat research at Critical. Start a national company providing cyber security services.”These MaaS offerings will introduce new and adaptive attack vectors, such as advanced phishing schemes and polymorphic malware that continuously evolve to evade detection,” he told itpolli. “The rise of malware as a service represents a transformative challenge in the world of cybersecurity. It has democratized cybercrime and expanded the threat landscape.”
Legacy malware thrives on modern attacks
The DarkTrace report notes that many MaaS tools, such as Amadey and Raspberry Robin, have been used by multiple malware families over the years. This shows that while MaaS strains often adapt their TTPs from one campaign to the next, many strains remain unchanged but continue to achieve success. It also said that some security teams and organizations are still failing to secure their environments.
“The continued success of older malware strains indicates that many organizations still have significant vulnerabilities in their security environments,” said Frank Downs, senior director of proactive services at BlueVoyant, an enterprise cybersecurity company in New York.
“This could be due to outdated systems, unpatched software or a lack of comprehensive security measures,” he told itpolli. “The persistence of these legacy threats suggests that some organizations are not investing adequately in cybersecurity protections or following best practices for maintaining and updating systems.”
Roger Grimes, security campaigner at KnowBe4, a Clearwater, Fla.-based security training provider, added that most malware detection software isn’t as good as its vendors claim.
“Organizations need to be aware that they cannot rely on malware detection to be 100% effective, and they need to respond and protect accordingly,” he told itpolli. “Anti-malware software alone will not save most organizations. All organizations need multiple safeguards at multiple levels for optimal detection and protection.”
Double Dip Digital Desperadoes
Another finding of the report was that “dual extortion” is becoming common among ransomware strains. In double extortion, attackers not only encrypt their target’s data, but also extract confidential files by threatening to reveal them unless a ransom is paid.
“Dual ransomware started in November 2019 and within a few years had reached the level of more than 90% of all ransomware using this technique,” Grimes said.
“It’s popular because even really good backup victims don’t eliminate all risk,” he continued.
“The percentage of victims paying ransom has decreased significantly over time, but those who do pay pay much more, many times more, to protect stolen sensitive information from being made public or used against them in future attacks by the same attacker,” – he said
Matthew Corwin, managing director of Guidepost Solutions, a global security, compliance and investigations company, added that the threat of double extortion makes the need for data loss prevention programs even more important for organizations. “DLP implementations across all endpoints and other cloud assets should include data classification, policy enforcement, real-time blocking, quarantine and alerting,” he told itpoli.
Attacking the Edge
DarkTrace also reported that in the first six months of the year, attackers continued to widely exploit vulnerabilities in infrastructure edge devices such as Evanti Connect Secure, JetBrains’ TeamCity, FortiClient Enterprise Management Server, and Palo Alto Networks Pan-OS.
An initial breach of these systems can provide a springboard for attackers to conduct further operations such as instrumentation, network recovery and lateral movement, the report explains.
“By compromising edge devices, attackers can gain a strategic foothold in the network, allowing them to monitor and intercept data traffic passing through these points,” Downs explained.
“This means that a carefully exploited edge device can give attackers access to large amounts of corporate information, including sensitive data, without the need to compromise multiple internal systems,” he continued. “Not only does this make the attack more effective, but it also increases the potential impact as edge devices often flow significant data in and out of the network.”
Morgan Wright, principal security consultant at Sentinel One, an endpoint security company in Mountain View, Calif., added: “Many organizations are probably lagging behind in patching vulnerable devices such as firewalls, VPNs or email gateways.”
“It doesn’t help when there are multiple and critical vulnerabilities,” he told TechNewsWorld. “For attackers, it’s the digital equivalent of shooting fish in a barrel.”
KnowBe’s Grimes agrees that edge infrastructure devices are often poorly maintained. “Unfortunately, peripherals have been the most unpatched devices and software in our environment for decades,” he said. “Most IT departments spend most of their remediation efforts on servers and workstations. Attackers see and exploit peripheral devices because they are less likely to be patched and often have shared administrative credentials.”
DMARC End Run
After analyzing 17.8 million emails, DarkTrace researchers also found that 62% of them could bypass DMARC checks.
DMARC is designed to verify the domain an email message originated from, but it has limitations Fraudsters can create domains with names close to well-known brands and DMARC them. “So as long as they can hide a fake-looking domain from past victims, their emails will pass DMARC checks,” Grimes explained.
“The alarming statistics in DarkTrace’s latest semi-annual threat report highlight the need for organizations to adopt a layered approach to email security that includes traditional security measures as well as advanced AI-based anomaly detection and behavioral analytics,” added Stephen Kausky, Field CTO at SlashNext. Computer and network security company based in Pleasanton, California.
“This holistic strategy can help detect and mitigate sophisticated phishing attacks that bypass DMARC and other traditional defenses,” he told TechNewsWorld. “By continuously monitoring and adapting to changing threat patterns, organizations can significantly improve their email security posture.”
Dor Lever, co-founder of Koro, a cloud-based cybersecurity company based in Tel Aviv, Israel, said most of the report’s findings point to the same cause. Citing a report published by Coro earlier this year, he noted that 73% of security teams admit to missing or ignoring critical alerts.
“Many different tools, all of which require maintenance, regular updates and monitoring, result in security teams doing administration rather than security,” he told TechNewsWorld.
However, Wright suggested that the findings could point to a major flaw in the industry. “With all the money being spent on cyber security and the threats that continue to proliferate, the question becomes – are we spending enough money on cyber security or are we spending it in the wrong places?” he asked.