The 2023/2024 Axur Threat Landscape Report provides a comprehensive analysis of the latest cyber threats. The information combines data from the platform’s surveillance of the Surface, Deep, and Dark Web with insights derived from the in-depth research and investigations conducted by the Threat Intelligence team.

Discover the full scope of digital threats in the Axur Report 2023/2024.

Overview

In 2023, the cybersecurity landscape witnessed a remarkable rise in cyberattacks.

One notable shift was the cyber risk integration with business risk, a concept gaining traction in boardrooms worldwide. As the magnitude of losses due to cyberattacks became evident, organizations started reevaluating their strategies.

Geopolitical factors played a significant role in shaping information security. The conflicts between nations like Russia and Ukraine had ripple effects, influencing the tactics of cybercriminals. It was a year where external factors intertwined with digital threats.

Ransomware attacks, once primarily focused on encryption, took a new turn. Threat actors prioritized data exposure, targeting organizations with hefty fines for data breaches. The stakes were higher than ever.

Artificial intelligence emerged as a potent weapon in cyberattacks. From deepfake videos featuring celebrities to automated social engineering, AI’s role in cybercrime has grown substantially.

One example is the fake videos promoting cryptocurrency scams using celebrities such as billionaire Elon Musk and Ethereum creator Vitalik Buterin. The videos use images of these executives at events, but the original lines are replaced by an AI-synthesized voice. The images are only altered to ensure lip sync, which is another function of this type of AI.

Hacktivist groups also made their mark, aligning with various sides during global conflicts. Their symbolic attacks posed risks to individuals and organizations, highlighting the need for vigilance in an interconnected world.

Let’s delve into the platform’s data, here synthesized into 7 key findings.

Key findings:

1. A Threefold Increase in Leaked Cards

The report indicates a troubling escalation in cyber threats. In 2023, a staggering 13.5 million credit and debit card details were leaked, tripling the number from the previous year. The United States tops the list, accounting for nearly half of all detected card leaks. This surge reflects the intensified activities on Deep & Dark Web channels, where such data are frequently traded.

Top 10 Countries with the Most Exposed Cards

2. Spotlight on Credential Leaks and Info Stealers

Credential leaks, although stable at 4.2 billion, have witnessed a shift with a surge in pastes and major leaks as sources. Notably, 15% of these exposed credentials can be considered corporate, highlighting the urgency of robust corporate cybersecurity measures.

Distinctively, credential stealer malware poses a significant threat by obtaining 98% of credentials in plain text, bypassing encryption hurdles. These stolen passwords are meticulously cataloged in log files, providing cybercriminals with insights into acquisition methods. Furthermore, credential stealers capture authorization tokens and cookies, potentially compromising multi-factor authentication.

Source of Credentials Leakage in 2023

3. Brand Misuse and Digital Fraud Panorama

Unconventional use of brand impersonation, such as in social media profiles, apps, and paid advertisements, led to 200,680 detections in 2023, a slight increase from the previous year.

Types of Brand Misuse in 2023

Explore the Threat Landscape Report for cutting-edge insights and solutions.

4. New Frauds: Evolving Tactics

The report has identified a series of novel tactics that demand our attention. Notably, threat actors now possess the capability to establish complete e-commerce stores within a matter of minutes, leveraging popular platforms.

Furthermore, the rise of “apphishing” scams has taken center stage, showcasing the increasing sophistication of contemporary cyber fraud. In these scams, malicious apps masquerade as legitimate browsers, loading cloned pages under the control of cybercriminals. This emerging trend highlights the need for heightened vigilance and innovative countermeasures to combat these evolving threats effectively.

5. Behind the Disruption Metrics: Takedown and Uptime

Last year, Axur executed 330,612 takedowns (the removal of a website or page from the internet) with a remarkable success rate, particularly in countering threats such as phishing (96.85%) and fake accounts (97.63%). The highlight of this process is the automated notification workflows that significantly reduce the time between incident identification and provider notifications.

For instance, Axur initiates notifications for phishing cases within 5 minutes, providing efficient handling for entities such as Shopify, Cloudflare, Namecheap, Hostinger, and GoDaddy, often within the same day. When addressing brand impersonation, accounts can be removed from platforms like Facebook and Instagram (typically within an average time of 41 minutes and 56 minutes, respectively) following notifications.

Takedown Response Time by Organization and Platform

6. Deep & Dark Web Insights: Monitoring the Underworld

The analysis of 133 million messages and posts on the Deep & Dark Web provided insights into the tactics and procedures of malicious agents, playing a crucial role in preventing cyber threats. This monitoring extends to messaging apps such as Telegram, WhatsApp, and Discord, as well as deep web forums and illicit marketplaces where cybercriminals trade leaked data, compromised computer access, and illicit services.

There are more than 529,965 incidents on monitored Deep & Dark Web sources, focusing on retail/e-commerce, financial institutions, and technology services sectors.

Most Targeted Sectors on the Deep & Dark Web in 2023

Notably, 374,592 incidents resulted from text detections, while 155,373 incidents were attributed to audio, video, or image detections. Multimedia content analysis is increasingly vital as it unveils hidden threats and enhances overall threat visibility.

7. Artificial Intelligence: A New Frontier in Cybercrime

Artificial Intelligence (AI) tools, beneficial for software and content creation, are now being used for malicious purposes. These tools enable scammers to craft more convincing narratives and interactions, enhancing the sophistication of fraud. On the other hand, Axur is pioneering the use of generative AI in cyber defense, launching Polaris.

Polaris: AI-powered platform to automate threat management

As the core of this AI-driven platform, a specialized Large Language Model sifts through vast data pools, delivering tailored, actionable insights directly aligned with the organization’s unique attack surface. This innovative approach not only streamlines the threat intelligence process but also ensures that security teams focus on strategic responses, enhancing productivity and decision-making.

Polaris signifies a departure from the overwhelming, fragmented nature of traditional threat management by offering a cohesive and focused perspective that facilitates swift, informed actions against potential threats, dramatically reducing analysis time and enhancing organizational response capability.

Your Automated Threat Intel Analyst: Begin Your 15-Day Polaris Trial Now

Conclusion

The Axur Report elucidates the intricate and evolving cyber threat landscape, particularly highlighting the vulnerabilities and challenges faced in the United States. The data presented underscores an urgent need for organizations to adapt and fortify their cybersecurity frameworks in response to the growing sophistication of cyber threats.

To navigate the complexities of the current cybersecurity landscape, organizations must focus on two pivotal strategies:

1. Comprehensive Monitoring and Swift Response:

The essence of robust cybersecurity lies in the extended monitoring of digital assets and the efficiency of response mechanisms. Organizations must ensure deep surveillance of their digital ecosystem, including tracking credential sources, monitoring the proliferation of fake profiles and apps, and vigilant oversight of Deep & Dark Web activities.

This thorough monitoring must be coupled with a quick and decisive response to minimize the exposure window of potential fraud and digital risks. By identifying and addressing threats promptly, organizations can significantly mitigate the impacts of cyber incidents.

2. Harnessing AI for Threat Intelligence and Automation:

Leveraging artificial intelligence is becoming not just beneficial but essential. As manual work is no longer viable, AI-driven technologies offer unparalleled advantages in scaling and automating the detection and neutralization of cyber threats. By adopting AI-powered advanced security solutions, organizations can enhance their threat monitoring and analysis capabilities.

This not only ensures a quick and informed response to cyber incidents but also strengthens the organization’s overall defense framework. Embracing a multi-layered security approach that combines proactive prevention with reactive strategies and AI’s analytical prowess ensures a more resilient defense against the increasingly sophisticated landscape of cyber threats.

Learn More About Axur

Axur is a cutting-edge External Threat Intelligence platform renowned for its end-to-end automation, top-tier takedown capabilities, and scalable intelligence. Empowering information security teams, Axur ensures safer digital experiences by detecting, inspecting, and containing threats across the external perimeter.

Over the past few years, SaaS has developed into the backbone of corporate IT. Service businesses, such as medical practices, law firms, and financial services firms, are almost entirely SaaS based. Non-service businesses, including manufacturers and retailers, have about 70% of their software in the cloud.

These applications contain a wealth of data, from minimally sensitive general corporate information to highly sensitive intellectual property, customer records, and employee data. Threat actors have noted this shift, and are actively working to breach apps to access the data.

Here are the top trends influencing the state of SaaS Security for 2024 — and what you can do about it.

Democratization of SaaS

SaaS apps have transformed the way organizations purchase and use software. Business units purchase and onboard the SaaS tools that best fit their needs. While this is empowering for business units that have long been frustrated by delays in procuring and onboarding software, it does require organizations to rethink the way they secure data.

Security teams are being forced to develop new ways to secure company data. Lacking access and visibility into an application, they are placed in the role of advising a business unit that is using SaaS applications. To further complicate matters, every SaaS application has different settings and uses different terminology to describe security features. Security teams can’t create a one-size-fits-all guidance document because of the differences between the apps.

Security teams must find new ways to collaborate with business units. They need a tool that offers visibility and guidance for each application setting so that they – and the business unit – understand the risks and ramifications involved in the configuration choices that they make.

ITDR Forms a Critical Safety Net

If a threat actor gains access to a high-privilege account, they gain unfettered access within the application. Organizations are now understanding that identity is the de facto perimeter for their SaaS applications.

When threat actors take over an authorized user account, they typically follow common tactics, techniques and procedures (TTP) as they work their way through the app toward the data they want. They leave behind indicators of compromise (IoC), which might be based on actions taken within the app or logs.

As we move into the new year, we are going to see more organizations adopting an Identity Threat Detection & Response (ITDR) approach. ITDR mitigates that concern. As a key component in Identity Security Posture Management, ITDR capabilities can detect TTPs and IoCs, and then send an alert to the incident response team. Through ITDR, threat actors who have managed to breach the identity perimeter can still be stopped before they steal critical data or insert ransomware into the application.

Learn about how ITDR can help you handle these SaaS Security trends today

Cross-Border Compliance Means More Tenants to Secure

Global companies are increasingly facing different regulatory requirements from one country to the next. As a result, 2024 will see an increase in the number of geo-specific tenants as part of the effort to keep data segmented in accordance with the different regulations.

This change will have a limited impact on software costs as most SaaS app pricing is based on subscribers rather than tenants. However, it will have a significant impact on security. Each tenant will need to be configured independently, and just because one instance of the application is secure doesn’t mean that all tenants are secure.

To secure all these tenants, security teams should look for a security solution that allows them to set app benchmarks, compare tenants, and display security settings side-by-side without charging extra for each additional tenant. By applying best practices throughout the organization, companies can keep all their tenants secure.

Figure 1: Adaptive Shield’s platform monitoring and presenting all Salesforce tenants

Misconfigured Settings Are Leading to New Exploits

A default misconfiguration in ServiceNow triggered widespread panic in October. The setting, which was part of the application’s Access Control Lists, allowed unauthorized users to extract data from records. The misconfiguration impacted thousands of companies. A similar misconfiguration in Salesforce Community back in May also impacted a significant number of companies and led to data breaches.

Misconfigurations like these have the potential to cause major damage to companies. They lead to data leaks that break the trust between companies and their stakeholders, and have the potential to turn into onerous fines, depending on the nature of the data that leaked.

Securing misconfigurations is an organization’s best chance at preventing these exploits from impacting their operations and hurting their bottom lines.

See how to automate SaaS misconfigurations and regain control of your SaaS stack

Increased Reliance on Third-Party Applications Adds to SaaS Risk

Third-party applications add real value for end users. They improve processes, extend functionality, and connect data between multiple applications. Users connect these SaaS apps with the click of button, and instantly begin improving their workflows.

In March 2023, Adaptive Shield released a report showing that organizations using Google Workplace with 10,000-20,000 users averaged 13,913 third-party apps connected to Google Workplace alone. An astonishing 89% of these requested either high- or medium-risk permissions. Many of these high-risk apps are used once and forgotten about, or used by a small number of employees. However, even these dormant or lightly used applications have significant permissions and can be used to compromise or breach a SaaS application.

The use of third-party applications is only increasing, as more apps are developed and employees use their own judgment – rather than checking with their security team – when integrating third-party applications into their stack. Security teams must develop visibility into all their integrated apps, and gain insights into the permissions requested, the value the app contributes to the organization, and the risk it poses.

Figure 2: Adaptive Shield’s platform shows integrated third-party apps, their risk score, and the scopes granted

Multiple Devices to Secure as Working from Home Isn’t Going Anywhere

In 2023, nearly 40% of all employees worked from home at least part of the time. According to WFHResearch, approximately 12% of employees work exclusively in their homes, while another 28% have hybrid roles.

These figures should give pause to security personnel concerned about users logging in to their work accounts from personal devices. One of the biggest concerns security teams have is when high-privileged users log into their accounts using an unmanaged or unsecured device. These devices may have critical vulnerabilities, and create a new attack vector. For many teams, there is almost no way to tell which devices are used to access the SaaS app or see whether those devices are secure.

Organizations Are Turning to SSPM to Secure SaaS

While all these trends point to legitimate SaaS security concerns, SaaS Security Posture Management (SSPM) tools coupled with ITDR capabilities, like Adaptive Shield, can fully secure the SaaS stack. SSPMs are designed to automatically monitor configurations, looking for configuration drifts that weaken an app’s posture. In SaaS Security Survey, 2024 Plans & Priorities by Cloud Security Association and Adaptive Shield, 71% of respondents said their company had increased their investment into SaaS security tools over the past year, and 80% were either already suing SSPM or planned to invest in one within the next 18 months.

SSPMs can provide baselining tools for multiple tenants of the same app, and enable users to establish best practices, compare settings from different instances, and improve the overall posture of the SaaS stack.

SSPMs also detect and monitor third-party applications, alerting users if their integrated apps are requesting too much access and updating the security team when integrated apps are dormant. It tracks users, and monitors the devices being used to access applications to prevent the use of unmanaged or unsecured devices on corporate SaaS apps. Furthermore, their built-in communication tools make it easy for business units to collaborate with security personnel in securing their applications.

SaaS apps have grown in popularity for good reason. They allow organizations to scale as needed, subscribe to the apps they need at the moment, and limit investment in some IT. With SSPM, these applications can be secured as well.

See live in a ten-minute demo how you can start securing your SaaS stack