IBM’s X-Force team recently published the most recent release of the Cloud Danger Landscape Report for 2024, offering an in-depth view on the surge of cloud infrastructure adoption and the risks that come with it.
A significant highlight of this year’s report revolved around the gradual decline in Software-as-a-Service (SaaS) platforms appearing in dark web marketplaces. While this pattern could suggest that more cloud platforms are enhancing their defensive stance and reducing the instances of exploits or compromised credentials surfacing, there are other factors worth considering.
Notable drop in SaaS references within the dark web
In a recent collaboration with Cybersixgill, a prominent dark web intelligence firm, IBM’s X-Force provided updated statistics within its recent Cloud Threat Landscape Report regarding the number of SaaS solutions mentioned in the dark web.
Interestingly, even though compromised cloud solutions remain relevant and valuable assets for sale in dark web marketplaces, the number of SaaS platforms mentioned decreased by an average of 20.4% year-over-year.
Among the most significant reductions was WordPress-Admin, seeing a nearly 98% drop between 2023 and 2024, followed by Microsoft Active Directory and ServiceNow, which experienced a 44% and 38% decline respectively.
While the majority of mentioned SaaS platforms decreased year-over-year, Microsoft TeamViewer stood out. Despite representing only 1.8% of all mentioned SaaS solutions, it saw a 9% increase between 2023 and 2024.
Read the Cloud Threat Landscape Report
What factors could be influencing fewer SaaS mentions?
The reduced activity in mentioning SaaS indicates a potentially emerging trend in the sophistication of modern-day cybersecurity solutions. Nevertheless, it’s crucial, as with any statistical report shifts, to consider all calculation variables and contributing elements.
To provide further insight into these numbers, Colin Connor, a member of IBM’s X-Force team, was interviewed to offer additional perspective. When asked about the likely cause of this shift in dark web trends, Connor remarked, “These statistics seem to reflect an overarching trend also noted in the reduction of total compromised credentials sold during the same reporting period. This also aligns with the takedown of Raccoon Stealer, which led to a sustained drop in credential sales from July 2023 onwards.”
Racoon Stealer was one of the most widely utilized infostealer malware, which dominated the dark web market share for credential theft starting in 2022 but was dismantled by the FBI in August 2023.
Discussing Racoon Stealer’s overall impact on the yearly statistics reported, Connor noted, “At its peak in March 2023, it accounted for almost 87% of stolen logs and almost 50% of the stolen credentials in our 2023 collection. It’s crucial to remember that the majority of dark web credentials are stolen from infostealer malware, so the takedown of Racoon had significant consequences. The marketplace is gradually recovering — from 192,000 credential sets on sale in July 2023 to 721,000 in July 2024. Nevertheless, it has yet to return to the peak in March 2023 when there were 1.2 million credential sets available for sale.”
Are compromised SaaS platforms expected to make a comeback soon?
IBM’s X-Force team suggests that while the year-over-year drop in SaaS mentions on the dark web is a positive development — indicative of increased law enforcement actions against major dark web marketplaces and enhanced security measures undertaken by large corporations — it’s vital not to let organizations lower their guard.
When asked about the implications of the recent Raccoon Stealer takedown for the evolving dynamics of the dark web market, Connor remarked, “Raccoon’s recovery in 2024 was limited, but we are observing the growth of relatively smaller players… Luma, RisePro, and Stealc have emerged as significant players… Luma, in particular, experienced a substantial 241% rise in popularity in Q3.”
It’s still early to predict if these previously minor players will have the capability to cause disruptions comparable to Raccoon Stealer across the dark web in the coming years. There remains the possibility of Racoon Stealer making a return in some form in the future.
The key is for organizations not to become complacent in their proactive security planning. IBM’s X-Force team advises all organizations to continue conducting thorough security testing across both on-premise and cloud infrastructure while consistently reinforcing their incident response capabilities. This ensures that even as trends shift, organizations can mitigate the risks of their systems or networks being compromised.