As 2024 comes to a close, Blackpoint Cyber’s Security Operations Center (SOC) reflects on a year marked by significant cyber challenges and innovative defense strategies. Our team responded to 19,153 incidents across on-premises, Microsoft 365, and Google Workspace environments, protecting our partners from an increasingly sophisticated array of cyber threats.

This year we saw a rise of Malware-as-a-Service (MaaS) and Phishing-as-a-Service (PhaaS), alongside the misuse of legitimate tools for malicious purposes. These developments underscore the importance of anticipating adversaries’ tactics and fortifying defenses accordingly.

This blog will transition into a quarterly report, designed to equip MSPs with insights into emerging cyber threats and actionable steps to strengthen client defenses.

Wishing you a safe, joyful holiday season and a prosperous new year!

Malware

Malware-as-a-Service (MaaS)

Blackpoint Cyber has previously published information related to MaaS variants Blackpoint’s SOC has responded to. Throughout 2024, Blackpoint has thwarted thousands of incidents related to MaaS variants.

Threat actors often find this type of malware is often an attractive service for threat actors because it allows threat actors to conduct malicious activities, creates less work for malware operators, and the wide array of capabilities these tools possess.

Phishing-as-a-Service (PhaaS)

Blackpoint’s SOC has responded to several incidents related to PhaaS malware, successfully preventing threat actors from gaining persistence and collecting credentials.

This type of service provides threat actors with tools and resources needed to conduct phishing attacks, including email templates, dashboards, and malware, such as RaccoonO365. These services allow threat actors with lower skill levels to conduct malicious activity.

Other Malware

Outside of MaaS operations, Blackpoint’s SOC has responded to incidents that likely involved the use of other malware variants, such as remote access trojans (RATs) and information stealers.

These types of malware variants are often attractive due to their availability, the ability to deploy additional payloads, and the ability to gather sensitive information that can be sold to other threat actors or used for further malicious activities.

Legitimate Tools

Persistence Tools

Blackpoint Cyber has previously published information related to commonly observed RMM tools being used for persistence during incident responses. These tools have included TeamViewer, ScreenConnect, AnyDesk, RustDesk, AteraAgent, Zoho Assist, and more.

These tools are often attractive options for threat actors of all skill levels due to them being a vital and convenient tool for IT teams, including providing persistent access to remote devices.

Blackpoint’s APG has tracked 27 ransomware operations and 9 APT groups that have been reported to use these legitimate tools during publicly reported incidents, with many operations using multiple tools.

Credential Access Tools

Throughout 2024, Blackpoint’s SOC has successfully stopped incidents involving the use of legitimate tools that are often used to harvest credentials from victim devices. These tools have included Mimikatz, LaZagne, LSASS, and more.

These tools are often attractive to threat actors due to their capabilities, the open source of many of these tools that allow for easy modification, and the ability to use them for further malicious activities.

Blackpoint’s APG has tracked 31 ransomware operations and 16 APT groups that have been reported to use these legitimate tools during publicly reported incidents.

Exfiltration Tools

Blackpoint’s SOC has thwarted threat actors’ attempts to target our partners and exfiltrate data throughout 2024. These tools have included MEGASync, Rclone, FileZilla, and more.

Threat actors often find these legitimate tools attractive due to the ability to quickly and oftentimes quietly exfiltrate large amounts of data. Additionally, using legitimate tools allows threat actors to exfiltrate data without having to develop their own custom tools, thus allowing lower skill level threat actors to conduct attacks.

Blackpoint’s APG has tracked 28 ransomware operations, and 2 APT groups reported to use these legitimate tools/services during publicly reported incidents.

Cloud Threats

Blackpoint’s SOC has responded to more than 16,000 cloud incidents throughout 2024, effectively preventing access to partners’ environments. These threats have included suspicious logins, PhaaS incidents, and attempted data theft incidents.

Threat actors often target cloud services due to the lucrative opportunities they provide, the ability to quickly exfiltrate data into a cloud storage service, and the ability to abuse cloud resources for cryptocurrency mining attacks. Additionally, cloud services are often integrated into several resources within an organizations, making cloud resources an attractive spot to pivot into other areas in a network where additional malware can be deployed, additional sensitive data can be accessed, and more.

APG Threat Analysis

Blackpoint’s APG predicts the continued development, offers, and use of MaaS operations over the next 12 months. Additionally, Blackpoint’s APG predicts the use of PhaaS services will likely increase over the next 12 months as more services enter the landscape.

Blackpoint’s APG predicts the continued use of legitimate software for malicious activity over the next 12 months.

Blackpoint’s APG predicts that the targeting of cloud services and the abuse of cloud services for malicious activity will continue to increase into 2025 due to the increased adoption by organizations, fundamental gaps in cloud security, and the scalability of cloud platforms.

These assessments are supported by Blackpoint’s SOC observed incidents throughout 2024.

Mitigations

  • Minimize the use of – or implement strict controls on – scripting languages, as threat actors often rely on scripting languages, such as JavaScript, to deploy malware and conduct malicious activities.
  • Implement Managed Application Control (MAC) for continuous monitoring and blocking of unapproved software.
  • Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions.
  • Regularly audit both environment and endpoints to identify potential rogue applications and potential old/unused accounts that should be removed.
  • Dedicated Software Center: Ensure employees only download software from monitored, approved sources.
  • Incident Response Plan: Ensure proper IRPs are in place in the event of an incident to ensure business continuity.

Conclusion

As we approach 2025, staying ahead of these threats will demand a measured, proactive approach to cybersecurity. By leveraging Blackpoint’s identity-based MDR solutions and implementing best practices, you can strengthen your clients’ defenses against new and more complex threats.

If you have questions or need tailored advice on optimizing your cybersecurity posture, our SOC team is here to help. Contact us today and take the first step toward a stronger, more secure future. From all of us at Blackpoint Cyber, we wish you a safe and joyous holiday season and a successful New Year!

Date Published
Dec 20, 2024

By
Blackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe now!