IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.

One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing, there are a few other factors to consider.

Sudden decrease in SaaS mentions across the dark web

In a recent collaboration with Cybersixgill, a leading dark web intelligence firm, IBM’s X-Force provided updated statistics in its recent Cloud Threat Landscape Report surrounding the number of SaaS solutions mentioned across the dark web.

Surprisingly, even though compromised cloud solutions are still highly relevant and valuable assets when creating sellable assets across dark web marketplaces, the number of SaaS platforms being mentioned dropped by an average of 20.4% year-over-year.

Among some of the highest reductions was WordPress-Admin, declining nearly 98% between 2023 and 2024, followed by Microsoft Active Directory and ServiceNow, which saw a 44% and 38% decline, respectively.

While the majority of SaaS platforms mentioned decreased year-over-year, Microsoft TeamViewer was an outlier. Even though the platform only represented 1.8% of all of the mentioned SaaS solutions, it still saw an increase of 9% between 2023 and 2024.

What are the potential contributors to less SaaS mentions?

The decreased activity in SaaS mentions initially points to a potentially emerging trend in the sophistication of modern-day cybersecurity solutions. However, as with all first-year statistical report shifts, it’s important to consider all calculation variables and contributing factors.

To help shed some more light on these figures, Colin Connor, a member of IBM’s X-Force team, was interviewed to provide additional perspective. When asked to comment on the potential driver of this dark web trend shift, Connor states, “These statistics appear to be an overall trend that was also referenced in the decrease in total compromised credentials sold during the same reporting period. This also coincides with the takedown of Raccoon Stealer, which caused a prolonged decrease in credential sales from July 2023 onward.”

Racoon Stealer was one of the most widely used infostealer malware that dominated the majority of the dark web market share for credential stealers starting in 2022 but was taken down by the FBI in August of 2023.

Commenting on the overall impact Racoon Stealer had on the year-over-over statistics of this report, Connor says, “During its peak in March 2023, was nearly 87% of the source of stolen logs and accounted for almost 50% of the stolen credentials in our 2023 collection. It’s also important to remember that the majority of dark web credentials sold are stolen from infostealer malware. So, this takedown of Raccoon had a dramatic effect. The marketplace continues to recover — from 192,000 credential sets overall for sale in July 2023 to 721,000 in July 2024. It also has yet to recover from the peak in March 2023 — which equated to 1.2 million credential sets for sale.”

Will there be a resurgence of compromised SaaS platforms in the near future?

According to IBM’s X-Force team, while the year-over-year decline of SaaS mentions on the dark web is positive — pointing to increased law enforcement actions against major dark web marketplaces and enhanced security measures being taken by large enterprises — it’s critical not to allow this to let organization’s guard down.

When asked about what the most recent Raccoon Stealer takedown means for the shifting dark web market dynamics, Connor states, “Racoon’s ability to recover in 2024 was limited, but what we’re seeing is that the relatively smaller players are starting to grow… We saw that Luma, RisePro and Stealc have now become major players… Luma especially took a huge step up, showing a 241% in popularity in Q3.”

It’s still too early to know if these previously smaller players will have the stamina to create disruptions similar to Raccoon Stealer across the dark web in the next couple of years. There is also the possibility that Racoon Stealer will see some form of recovery in the future.

The important thing is that organizations don’t become complacent in their proactive security planning. IBM’s X-Force team recommends that all organizations continue to conduct comprehensive security testing across their on-premise and cloud infrastructure while regularly strengthening their incident response capabilities. This helps to ensure that even when trends begin to shift, organizations can mitigate their risks of having systems or networks compromised.