There is always a new buzzword circulating amongst IT professionals, but here’s one with more sinister implications: Crime-as-a-Service (CaaS). Previously, orchestrating a phishing campaign or deploying a remote access trojan required specialist skills and experience. Today, however, the cybercrime landscape has evolved beyond traditional hacking towards easily accessible, subscription-based tools. In this new model, you do not purchase a kit — you rent it, much like you would with mainstream SaaS platforms. The notable difference, of course, is that the only charts you are likely to top are those held by law enforcement agencies.
Varonis recently exposed details about this developing trend, and the findings should give IT leaders pause. From phishing kits and Telegram-based one-time password bots, to infostealer logs and fully functional remote access trojans, a growing array of attack tools are being bundled as plug-and-play services. The upshot is that almost anyone, whether an opportunistic insider or even a bored teenager, can gain access to enterprise-grade hacking capabilities at minimal cost. No coding expertise is required — only a payment method and dubious intentions.
Importantly, this is far from a phenomenon fuelled just by amateurs. The CaaS ecosystem is professionalising rapidly, offering everything from stable infrastructure and customer support, to ongoing updates. As such, IT leaders and managed service providers are now facing a new suite of challenges: a surge of low-skilled attackers equipped with powerful tools; the commodification of cyber attacks resulting in a significant rise in incidents; and added compliance complications, especially in data-sensitive industries.
For those defending organisations or client estates, it is essential to heighten threat awareness and invest in automated detection capabilities. Incident response procedures should be reviewed and updated, assuming a scenario where threat actors can simply “log in and go”. End-user education remains a critical asset, as the next phishing email received may be crafted by a paying subscriber to one of these nefarious services, rather than by a traditional cybercriminal.
For further technical insights and analysis, refer to Varonis’ original research via Bleeping Computer.
Source: https://www.bleepingcomputer.com/news/security/cybercrime-goes-saas-renting-tools-access-and-infrastructure/
