Unprotected Software Supply Chain Leaves Businesses Vulnerable to Ransomware

By Greg Tavarez, TMCnet Editor  |  March 06, 2024

It’s a never-ending cycle; every day, we wake up to see how cybercriminals continue to hone their tactics, exploiting the interconnected nature of modern business ecosystems. One of the prominent strategies involves targeting the trusted relationships between companies and their third-party suppliers and vendors. This approach capitalizes on the inherent trust that organizations place in their partners, leveraging it as a vulnerability to breach networks and systems.

By infiltrating the networks of third-party suppliers and vendors, cybercriminals gain access to a wide array of valuable assets and sensitive information. This can include intellectual property, financial data, customer records or even critical infrastructure systems. The repercussions of such attacks can be severe, ranging from financial losses to reputational damage and operational disruptions.

These attacks often involve sophisticated techniques like supply chain attacks, where malicious actors compromise the software or hardware components supplied by vendors, injecting malware or backdoors into the supply chain. Alternatively, attackers may exploit vulnerabilities in the communication channels or authentication mechanisms used between companies and their third-party partners.

Looking a bit deeper into these attacks, SecurityScorecard unveiled its latest insight into global third-party cybersecurity breaches through the release of its comprehensive report.

Looking at the report, we see that 75% of third-party breaches were aimed at the software and technology supply chain (and vulnerabilities within the technology supply chain serve as conduits for threat actors to amplify their operations with minimal exertion). Considering that as of 2021, 75% of organizations at the highest maturity levels reported employing manual third-party risk programs, there is a pressing need for companies to transition towards automating vendor identification and cyber risk management throughout their digital ecosystem.

A big highlight revealed in the report was that 64% of third-party breaches were linked to C10p, a notorious cybercrime group. This group's dominance was evident, with C10p being responsible for 64% of identifiable third-party breaches in 2023, followed distantly by LockBit at a mere 7%. The prevalence of C10p's attacks was propelled by extensive exploits targeting a critical zero-day vulnerability within MOVEit software.

Also, 61% of third-party breaches were attributed to the MOVEit vulnerability (CVE-2023-34362). The three most frequently exploited vulnerabilities, including MOVEit, CitrixBleed and Proself, collectively contributed to 77% of all third-party breaches involving specified vulnerabilities. The MOVEit zero-day's impact was particularly far-reaching, enabling compromises not only of third-party entities but also extending to fourth and fifth-party stakeholders.

Furthermore, approximately 29% of breaches in 2023 had third-party attack vectors, as uncovered by STRIKE. However, this figure likely underestimates the true extent, as many breach reports omit specifying the attack vector.

As for the industries that got hit the hardest, healthcare organizations bore the brunt of 35% of third-party breaches, followed by financial services at 16%, according to the report.

“The supplier ecosystem is a highly desirable target for ransomware groups,” said Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, SecurityScorecard. “Third-party breach victims are often not aware of an incident until they receive a ransomware note, allowing time for attackers to infiltrate hundreds of companies without being detected.”

Mitigating the risks associated with these attacks requires a multifaceted approach. Companies must implement robust cybersecurity measures not only within their own networks, but also across their entire supply chain. This includes thorough vetting of third-party vendors, implementing security standards and protocols, and conducting regular audits and assessments.

This report, for example, used SecurityScorecard’s new BreachDetails threat intelligence solution. With BreachDetails, SecurityScorecard increased the level of breach data coverage by 50% compared to other breach notice providers by using AI to analyze news articles, ransomware notifications and international sources.

“In the digital age, trust is synonymous with cybersecurity,” said Dr. Aleksandr Yampolskiy (News - Alert), CEO and co-founder, SecurityScorecard. “Companies must improve resilience by implementing continuous, metrics-driven, business-aligned cyber risk management across their digital and third-party ecosystems.”

Ultimately, safeguarding against attacks that exploit trusted relationships demands proactive collaboration and diligence from all parties involved in the interconnected web of modern business operations.

Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]