Malware-as-a-Service Golden Business for Hackers: Darktrace Report

Malicious actors on the internet know the meaning of service. In a report released Tuesday on digital threats for the first half of 2024, a global AI cybersecurity company found that many of the prevalent threats deployed during the period heavily used malware-as-a-service (MaaS) tools.

The report by Darktrace, based on analysis of data across the company’s customer deployments, reasoned that the growing popularity of MaaS is due to the lucrative subscription-based income of MaaS ecosystems, as well as the low barrier to entry and high demand.

By offering pre-packed, plug-and-play malware, the MaaS market has enabled even inexperienced attackers to carry out potentially disruptive attacks regardless of their skill level or technical ability, the report added.

The report predicted that MaaS will remain a prevalent part of the threat landscape in the foreseeable future. This persistence highlights the adaptive nature of MaaS strains, which can change their tactics, techniques, and procedures (TTPs) from one campaign to the next and bypass traditional security tools, it noted.

“The sophistication of malware-as-a-service services is expected to rise due to the demand for more powerful attack tools, posing challenges for cybersecurity professionals and requiring advancements in defense strategies,” said Callie Guenther, a cyber threat research senior manager at Critical Start, a national cybersecurity services company.

“These MaaS offerings will introduce new and adaptive attack vectors, such as advanced phishing schemes and polymorphic malware that continually evolves to evade detection,” she told TechNewsWorld. “The rise of malware-as-a-service represents a transformative challenge in the world of cybersecurity. It has democratized cybercrime and expanded the scope of threats.”

Legacy Malware Thriving in Modern Attacks

The Darktrace report noted that many MaaS tools, such as Amadey and Raspberry Robin, have used multiple malware families from prior years. This shows that while MaaS strains often adapt their TTPs from one campaign to the next, many strains remain unchanged yet continue to achieve success. It added that some security teams and organizations are still falling short in defending their environments.

“The continued success of old malware strains indicates that many organizations still have significant vulnerabilities in their security environments,” maintained Frank Downs, senior director of proactive services at BlueVoyant, an enterprise cybersecurity company in New York City.

“This could be due to outdated systems, unpatched software, or a lack of comprehensive security measures,” he told TechNewsWorld. “The persistence of these older threats suggests that some organizations may not be investing adequately in cybersecurity defenses or are failing to follow best practices for system maintenance and updates.”

Roger Grimes, a defense evangelist for KnowBe4, a security awareness training provider in Clearwater, Fla., added that most anti-malware detection software is not as good as its vendors claim.

“Organizations need to know they cannot rely on malware detection as being even close to 100% effective, and they need to respond and defend accordingly,” he told TechNewsWorld. “Anti-malware software alone will not save most organizations. All organizations need multiple defenses across multiple layers to best detect and defend.”

Double Dipping Digital Desperadoes

Another finding in the report was that “double extortion” was becoming prevalent among ransomware strains. With double extortion, malicious actors will not only encrypt their target’s data but also exfiltrate sensitive files with the threat of publication if the ransom is not paid.

“Double-extortion started in November 2019 and reached levels over 90% of all ransomware using this strategy within a few years,” Grimes said.

“It’s popular because even victims with a really good backup aren’t negating the entirety of the risk,” he continued.

“The percentage of victims paying ransoms has gone down significantly over time, but the ones who are paying are paying far more, many times to protect the stolen confidential data from being released publicly or used against them in a future attack by the same attacker,” he said.

Matthew Corwin, managing director of Guidepost Solutions, a global security, compliance, and investigations firm, added that the threat of double extortion makes the need for a data loss prevention program even more critical for organizations. “DLP implementation for all endpoints and other cloud assets should include data classification, policy enforcement, real-time blocking, quarantining, and alerting,” he told TechNewsWorld.

Attacking the Edge

Darktrace also reported that malicious actors continued to execute during the first six months of the year mass-exploitation of vulnerabilities in edge infrastructure devices, such as Ivanti Connect Secure, JetBrains TeamCity, FortiClient Enterprise Management Server, and Palo Alto Networks PAN-OS.

Initial compromises of these systems can act as a springboard for malicious actors to conduct further activities, such as tooling, network reconnaissance, and lateral movement, the report explained.

“By compromising edge devices, attackers can gain a strategic foothold in the network, allowing them to monitor and intercept data traffic as it passes through these points,” Downs explained.

“This means that a carefully exploited edge device can provide attackers with access to a wealth of corporate information, including sensitive data, without the need to compromise multiple internal systems,” he continued. “This not only makes the attack more efficient but also increases the potential impact, as edge devices often handle significant data flows to and from the network.”

Morgan Wright, chief security advisor at SentinelOne, an endpoint protection company in Mountain View, Calif., added, “Many organizations are most likely behind in patching vulnerable devices, like firewalls, VPNs, or email gateways.”

“It doesn’t help when there are numerous and critical vulnerabilities,” he told TechNewsWorld. “For attackers, it’s the digital equivalent of shooting fish in a barrel.”

KnowBe’s Grimes agreed that maintenance of edge infrastructure devices is often lax. “Sadly, edge devices have for decades been among the most unpatched devices and software in our environments,” he said. “Most IT shops spend the bulk of their patching effort on servers and workstations. Attackers look at and exploit edge devices because they are less likely to be patched and often contain shared administrative credentials.”

DMARC End Run

After analyzing 17.8 million emails, the Darktrace researchers also discovered that 62% could bypass DMARC verification checks.

DMARC is designed to verify that an email message is from the domain it claims it’s from, but it has limitations. Scammers can create domains with names close to a well-known brand and DMARC them. “So as long as they can sneak the fake look-alike domain past victims, their emails will get past DMARC checks,” Grimes explained.

“The alarming statistics in the latest Darktrace Half-Year Threat Report highlight the need for organizations to adopt a multi-layered approach to email security, incorporating advanced AI-driven anomaly detection and behavioral analysis to complement traditional security measures,” added Stephen Kowski, field CTO of SlashNext, a computer and network security company, in Pleasanton, Calif.

“This holistic strategy can help identify and mitigate sophisticated phishing attacks that evade DMARC and other conventional defenses,” he told TechNewsWorld. “By continuously monitoring and adapting to evolving threat patterns, organizations can significantly enhance their email security posture.”

Dror Liwer, co-founder of Coro, a cloud-based cybersecurity company based in Tel Aviv, Israel, contends that most of the report’s findings point to the same cause. Citing a report released by Coro earlier this year, he noted that 73% of security teams admit to missing or ignoring critical alerts.

“Too many disparate tools, each needing maintenance, regular updates, and monitoring, lead to security teams dealing with administration instead of protection,” he told TechNewsWorld.

Wright, though, suggested the findings might point to a bigger industry flaw. “With all the money being spent on cybersecurity and the threats that continue to proliferate, it begs the question — are we spending enough money on cybersecurity, or just spending it in the wrong places?” he asked.