Darktrace has announced the findings of Darktrace’s 2024 Annual Threat Report, revealing that Malware-as-a-Service (MaaS) is now responsible for more than half (57%) of all cyber threats to organizations, marking the continued growth of Cybercrime-as-a-Service (CaaS) models. These insights, observed by Darktrace’s Threat Research team using its unique Self-Learning AI across its customer fleet of nearly 10,000 customers spanning all major industries globally, detail a shifting threat landscape that continues to grow in complexity, marked by rising sophistication of common threats.
The persistence of CaaS models, particularly Ransomware-as-a-Service (RaaS) and MaaS is growing rapidly as less experienced threat actors access new tools to carry out disruptive attacks. According to the report, use of MaaS tools rose 17% in the latter half 2024, from 40% in the first six months to 57% of campaign activity identified by the Darktrace Threat Research.
The use of Remote Access Trojans (RATs) also saw a significant increase in the latter half of the year, representing 46% of campaign activity identified, compared to only 12% in the first half. RATs allow an attacker to remotely control an infected device, enabling them to conduct further malicious activity such as data exfiltration, credential theft, or surveillance, underscoring the rising complexity and increased risk of day-to-day threats.
Darktrace’s Threat Research team tracked several ransomware threats impacting customers, from novel strains like Lynx to re-emerging threats including Akira, RansomHub, Black Basta, Fog and Qilin. While these groups have been observed frequently using phishing as an attack vector, there has also been a shift toward more sophisticated techniques. These include the use of legitimate tools like AnyDesk and Atera to mask command and control (C2) communications, LOTL techniques for lateral movement, data exfiltration to commonly used cloud storage services and use of file-transfer technology for rapid exploitation and double extortion methods.
Inboxes Under Siege
Phishing remains attackers’ preferred technique, with over 30.4 million phishing emails detected across Darktrace’s customer fleet between December 2023 and December 2024. The techniques observed highlight how threat actors continue to curate more targeted and sophisticated emails to improve the success of their campaigns. Of all the phishing emails detected in 2024:
- 38% were spear phishing attempts, tailored attacks on high value individuals
- 32% used novel social engineering techniques including AI generated text with linguistic complexity, like increased text volume, punctuation, and sentence length
- 70% successfully passed the widely used DMARC authentication approach
- 55% passed through all existing security layers before Darktrace detection
- Over 940,000 malicious QR codes were identified
Darktrace also observed an increase in threat actors targeting third-party services employees rely on, like Zoom Docs, QuickBooks, HelloSign, Adobe, and Microsoft SharePoint, to send. By leveraging trusted platforms and domains, malicious actors can bypass traditional security measures and increase the likelihood of their phishing attempts being successful. These efforts highlight how threat actors continually adapt and evolve to keep pace with the emergence of new technologies that represent new avenues to exploit.
Nathaniel Jones, VP of Threat Research at Darktrace, comments, “Email is at the forefront of the evolving threats we’re seeing across the threat landscape. Ransomware-as-a-Service tools, combined with the growing use of AI, are allowing even low-skilled attackers to engineer convincing, targeted at scale, and making it harder than ever for traditional security measures to keep up.”
Evading Detection Via Edge Device Vulnerabilities and LOTL Techniques
Threat actors are increasingly focused on evading detection rather than causing disruption, often leveraging vulnerabilities in edge, perimeter or internet-facing devices to gain initial access to networks and then using LOTL techniques, the malicious use of legitimate tools present on a system, to remain undetected.
The most significant campaigns observed in 2024 involved the ongoing exploitation vulnerabilities in edge and perimeter network technologies, with 40% of identified campaign activity in the first half of the year involving the exploitation of internet-facing devices. Some of the most common exploitations involved Ivanti Connect Secure (CS) and Ivanti Policy Secure (PS) appliances, Palo Alto Network (PAN-OS) firewall devices, and Fortinet appliances. For example, Darktrace detected anomalous malicious activity on Palo Alto firewall devices as early as March 26th on customer networks, now recognized as evidence of PAN-OS exploitation, 17 days prior to public disclosure on April 12th.
In addition to vulnerabilities, Darktrace has also observed threat actors increasingly using stolen credentials to log into remote network access solutions like VPNs to gain initial access to networks. Following initial access, threat actors will use legitimate tools and processes already present on infected systems to achieve their goals while remaining undetected.
Many traditional tools struggle to identify and stop these attacks as differentiating between legitimate use by administrators and malicious use by attackers is challenging without an established baseline of normal user behavior. While often used by more sophisticated actors like Advanced Persistent Threats (APTs), smaller criminal enterprises also benefit from exploiting native tools, saving time and money by avoiding the need for custom malware development that might be blocked by traditional security tools once indicators of compromise (IoCs) are published.
“The combination of Cybercrime-as-a-Service, automation and AI are increasing the sophistication and diversity of attack techniques faster than ever – from AI-enhanced phishing campaigns to evolving ransomware strains,” said Nathaniel Jones, VP of Threat Research at Darktrace. “Detecting and responding to threats in progress is no longer sufficient. Organizations must prioritize cyber resilience by proactively addressing weaknesses across systems, people, and data before attackers can exploit them.”
