According to Darktrace, the complexity of cyber threats has increased dramatically, with malicious actors using sophisticated tactics, techniques and procedures (TTPs) to exploit vulnerabilities and evade detection.

Subscription-based tools such as Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) have also lowered the barrier to entry for less experienced attackers and made it easier to carry out complex, multi-stage attacks.

“The threat landscape is constantly evolving, but new threats often build on old foundations rather than replacing them. While we are seeing the emergence of new malware families, many attacks are carried out by the usual suspects we have seen over the past few years and still use familiar techniques and malware variants,” commented Nathaniel Jones, Director of Strategic Threat and Engagement at Darktrace.

“The persistence of MaaS/RaaS service models alongside the emergence of newer threats like the Qilin ransomware underscores the continued need for adaptive, machine learning-based security measures that can keep pace with a rapidly evolving threat landscape,” Jones continued.

MaaS continues to pose a significant risk to businesses

The findings show that cybercrime-as-a-service continues to dominate the threat landscape, with malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) tools accounting for a significant share of the malicious tools used by attackers. Cybercrime-as-a-service groups such as Lockbit and Black Basta provide attackers with everything from pre-built malware to phishing email templates, lowering the barrier to entry for cybercriminals with limited technical knowledge.

MaaS is expected to remain a major part of the threat landscape for the foreseeable future. This persistence highlights the adaptability of MaaS strains, which are able to change their TTPs from one campaign to the next and evade traditional security tools. Therefore, it is critical for organizations to leverage AI-driven security measures that can detect anomalous activity in real time without relying on prior knowledge of specific tactics and can counter complex and evolving MaaS threats.

The most frequently observed threats from January to June 2024 were:

• Information-stealing malware (29% of early cases investigated)
• Trojans (15% of threats examined)
• Remote Access Trojans (RATs) (12% of threats examined)
• Botnets (6% of threats examined)
• Loader (6% of threats examined)

The report also reveals the emergence of new threats alongside existing ones. Most notably, the rise of Qilin ransomware, which uses sophisticated tactics such as rebooting infected machines in Safe Mode to bypass security tools and make it difficult for human security teams to respond quickly.

According to the report, dual extortion methods have become common among ransomware variants. Since ransomware continues to pose a major security risk to organizations, Darktrace’s Threat Research Team has identified three predominant ransomware variants affecting customers: Akira, Lockbit, and Black Basta. All three variants have been observed to use dual extortion methods.

Email phishing shows no signs of slowing down

Phishing remains a significant threat to businesses. Researchers detected 17.8 million phishing emails sent to their customers between December 21, 2023, and July 5, 2024. Worryingly, 62% of these emails successfully bypassed Domain-based Message Authentication, Reporting, and Conformance (DMARC) verification checks, industry protocols for protecting email domains from unauthorized use, and 56% passed all existing security layers.

The report shows how cybercriminals are using increasingly sophisticated tactics, techniques and procedures (TTPs) to bypass traditional security parameters. Darktrace observed an increase in attackers using popular, legitimate third-party services and websites such as Dropbox and Slack to blend in with normal network traffic. In addition, there has been an increase in the use of covert command and control (C2) mechanisms, including remote monitoring and management (RMM) tools, tunneling and proxy services.

Compromise of edge infrastructure and exploitation of critical vulnerabilities are the biggest concerns

Darktrace has observed an increase in mass exploitation of vulnerabilities in edge infrastructure devices, particularly related to Ivanti Connect Secure, JetBrains TeamCity, FortiClient Enterprise Management Server, and Palo Alto Networks PAN-OS. These compromises often serve as a springboard for further malicious activity.

It is imperative that organizations do not lose sight of existing attack trends and CVEs – cybercriminals may resort to previous, mostly dormant methods to trick organizations. Between January and June, attackers exploited Common Vulnerabilities and Exposures (CVEs) in 40% of the cases examined by the Threat Research team.