Threat intelligence experts have been
detailing the continued evolution of the Tycoon 2FA phishing-as-a-service (PhaaS) kit, with the latest coming from
DNSFilter researchers outlining how the bad actors are improving cyberthreats obfuscation techniques, using target-specific subdomains, and growing its use of Spanish domains.
The reports from DNSFilter and other vendors highlight the ongoing challenges facing security teams and MSSPs from a rapidly expanding cybercrime-as-a-service (CaaS) environment, which makes it easier for lesser-skilled threat actors to launch sophisticated attacks. The CaaS trend includes a range of threats, from PhaaS to
ransomware-as-a-service (RaaS) to malware-as-a-service (MaaS).
“Malware-as-a-service has been concerning for some time now because it allows relatively low technical competence to execute highly technical attack tools,”
Rob Enderle, principal analyst with The Enderle Group, told MSSP Alert. “With AI spinning into this mess, users, companies, and governments are not only at significant risk, but that risk is increasing at a rate that exceeds most malware mitigation programs’ ability to counter.”
MaaS on the Rise
Security vendor
Darktrace put some numbers to the growing trend earlier this year, highlighting in its
2024 Annual Threat Report that MaaS now accounts for 57% of all cyberthreats to organizations.
“The persistence of CaaS models, particularly Ransomware-as-a-Service (RaaS) and MaaS, is growing rapidly as less experienced threat actors access new tools to carry out disruptive attacks,” the threat researchers wrote, adding that MaaS tools rose 17% in the latter half 2024, from 40% in the first six months to 57% in the second.
Nathaniel Jones, vice president of threat research at Darktrace, said “the combination of cybercrime-as-a-service, automation, and AI are increasing the sophistication and diversity of attack techniques faster than ever – from AI-enhanced phishing campaigns to evolving ransomware strains.”
Tycoon 2FA Ramps Up PhaaS Operations
DNSFilter’s Will Strafach
outlined Tycoon 2FA’s operations, a sophisticated PhaaS platform that’s been in operation since August 2023 and focuses on adversary-in-the-middle (AiTM) attacks.
“Individual threat actors handle victim targeting and luring, while the centralized Tycoon infrastructure manages the technical aspects of credential harvesting and session token theft,” wrote Strafach, head of Guardian, DNSFilter’s firewall and VPN app. “Rather than hosting phishing infrastructure themselves, attackers simply need to direct victims to specific links that leverage the shared Tycoon platform.”
Other vendors are also keeping an eye on Tycoon 2FA. In April, Trustwave detailed a
new evasion tactics, and eSentire also saw
a significant jump in Tycoon 2FA PhaaS cases.
The Scary Combination of CaaS and AI
Officials with MSSP
Megawire revealed earlier this year that the combination of CaaS and AI is creating a “seismic shift” in the cybersecurity landscape by making it easier for threat actors to launch attacks. This in turn is accelerating the rise in the number of attacks organizations are facing. For MSSPs, the proliferation of attacks is both a
challenge and an opportunity, according to the Ontario, Canada-based MSSP.
“This commoditization of cybercrime has led to a dramatic increase in the volume and sophistication of attacks, leaving MSSPs with the daunting task of defending against threats that evolve at breakneck speed,” they wrote. "To counter the rapid proliferation of cybercrime, MSSPs must invest in AI-powered Security Operations Centers (SOCs). These SOCs leverage artificial intelligence and machine learning to automate threat detection, analysis, and response, offering a proactive defense mechanism against evolving attack vectors.”
Such tools can use AI algorithms to identify anomalies and threats in real-time using AI algorithms, analyze historical data to predict emerging patterns, and automatically isolate compromised systems. In addition, AI-powered tools make it much easier for MSSPs to scale their efforts to match the needs of enterprise and SMB customers and to address cloud-native environments.
MSSPs Must Embrace AI, Partnerships
"By adopting AI-powered SOCs, refining their service offerings, and educating clients on best practices, MSSPs can adapt to this threat-laden future,” the Megawire officials wrote, adding that other steps include collaborating with internet security companies, investing in scalable and cloud-native solutions, and using tools like penetration testing and network cabling.
Enderle said MSSPs that want to mitigate the risks that come with CaaS need initiatives that match the effort that the cybercrime community put in to developing tools that provide the cyberthreat capabilities to large audiences, an effort he said requires massive initial funding and the use of rare experts.
That means they need to look within themselves as well as at outside entities.
“MSSPs and MSPs need to not only collectively look at coming up with solutions that address this accelerated risk but also partner with firms that have the resources and technology needed to counter them,” the analyst said. “If we use a warfare metaphor, this would be like Ukraine needing to partner with NATO and the U.S. to counter Russia and then Russia partnering with Iran and North Korea to counter Ukraine’s partnerships. This threat demands a response that can scale to the threat and no MSSP or MSP is going to be strong enough to alone counter it.”
