The rise of Cybercrime-as-a-Service (CaaS) as a prominent trend in the world of cybersecurity is more than just a passing phase—it has firmly established itself as a significant force to be reckoned with. With the proliferation of sophisticated attack tools that are easily accessible, even novice cybercriminals can now execute highly disruptive campaigns with relative ease.
Recent statistics reveal that Malware-as-a-Service (MaaS) now accounts for 57% of detected threats, marking a significant 17% increase from the previous year. This surge underscores the prevalence of CaaS models, especially Ransomware-as-a-Service (RaaS) and MaaS, which continue to empower cybercriminals on a large scale, equipping them with the necessary tools to orchestrate more frequent and intricate attacks with minimal effort.
These findings were reported in Darktrace’s 2024 Annual Threat Report, which offers insights gathered by its Threat Research team utilizing its Self-Learning AI technology across its extensive customer base of nearly 10,000 organizations spanning various industries worldwide.
One notable observation by Darktrace researchers was the significant uptick in the use of Remote Access Trojans (RATs), which were detected in 46% of malicious campaigns in the latter half of 2024, compared to just 12% in the first half. RATs enable malicious actors to remotely control infected devices, facilitating activities such as data exfiltration, credential theft, and surveillance.
Additionally, researchers identified a variety of ransomware campaigns utilizing both emerging and re-emerging strains like Lynx, Akira, RansomHub, Black Basta, Fog, and Qilin.
Phishing continues to reign as the top attack vector, with a staggering 30.4 million phishing emails detected across Darktrace’s customer base in 2024. Cybercriminals are refining their tactics by leveraging AI-generated text, social engineering techniques, and trusted third-party services to sidestep detection. Noteworthy findings from the report include the use of spear-phishing campaigns targeting high-value individuals, AI-generated text to enhance credibility, successful bypassing of DMARC authentication in 70% of phishing attempts, and evasion of traditional security layers before detection in 55% of cases. Over 940,000 malicious QR codes were also identified in phishing attacks, indicating the diverse tactics employed by attackers.
Furthermore, cybercriminals are increasingly exploiting third-party platforms such as Zoom Docs, QuickBooks, HelloSign, Adobe, and Microsoft SharePoint to distribute phishing emails, leveraging trusted domains to enhance their success rates while evading conventional security measures.
Rather than opting for immediate disruption, cybercriminals are now prioritizing stealth and persistence. The report highlights a surge in edge device vulnerabilities and the use of Living-off-the-Land (LOTL) techniques, which involve leveraging legitimate system tools for malicious purposes. Campaign activity in early 2024 targeted internet-facing devices, exploiting vulnerabilities in products such as Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS firewalls, and Fortinet appliances. Darktrace detected anomalous activity on Palo Alto firewalls 17 days before the public disclosure of PAN-OS exploitation on April 12, 2024. Attackers are increasingly utilizing stolen credentials to gain initial access to remote network solutions like VPNs, further complicating detection efforts for traditional security tools.
Jason Soroko, Senior Fellow at Sectigo, emphasizes that MaaS and CaaS have transitioned from niche tools to core enablers of the evolving threat landscape. He warns that malicious actors are not only breaching defenses but actively living off them, utilizing trusted platforms and overlooked vulnerabilities to evade detection. Soroko stresses the significance of addressing identity as a crucial and unresolved liability in the face of escalating cyber threats.
Moreover, J Stephen Kowski, Field CTO at SlashNext, notes that the rise of CaaS has transformed the cyber threat landscape, making it easier for perpetrators to execute sophisticated attacks across multiple channels. Phishing attacks, once confined to email, now encompass cloud app abuse techniques that exploit platforms like OneDrive, DocuSign, and Dropbox. Attacks are increasingly leveraging communication channels like Teams, Slack, LinkedIn messages, and mobile platforms, broadening the scope of potential threats. Kowski emphasizes the shift towards stealthier tactics by attackers, who are adept at leveraging trusted tools and exploiting vulnerabilities in everyday devices to evade detection.
In conclusion, the prevalence of Cybercrime-as-a-Service represents a significant paradigm shift in the cybersecurity landscape, necessitating real-time detection and prevention strategies that can effectively combat evolving attack patterns across diverse communication channels. Traditional security tools are struggling to keep pace with the sophistication and agility of modern cyber threats, highlighting the urgent need for enhanced security measures to safeguard against the pervasive and evolving risks posed by CaaS.