Why has the software supply chain become a breeding ground for cyber hackers?
A new report from SecurityScorecard reveals that threat actors are increasingly targeting third parties as an attack vector to carry out widespread cyber campaigns. Analysis of 2023 cyber breaches found that at least 29% involved a third-party partner that was compromised.
The dominant actor was the notorious C10p ransomware group, behind 64% of attributable third-party attacks this year. Their attacks primarily exploited a critical vulnerability in MOVEit software that enabled them to infiltrate hundreds of downstream partners.
Over 61% of third-party breaches analyzed took advantage of vulnerabilities in MOVEit and other popular platforms.
Once in third-party systems, attackers were able to access primary victims undetected for longer periods of time before deploying ransomware or data theft campaigns. The expansive access enabled C10p and others to scale attacks with less effort compared to more direct breach methods.
“The supplier ecosystem is a highly desirable target for ransomware groups. Third-party breach victims are often not aware of an incident until they receive a ransomware note, allowing time for attackers to infiltrate hundreds of companies without being detected,” says Ryan Sherstobitoff, Senior VP of Threat Research and Intelligence at SecurityScorecard.
Healthcare and finance emerged as the sectors most heavily impacted, together accounting for over 50% of third-party attacks. Over 60% occurred in North America, with the U.S. representing the bulk. Japan also stood out for having 48% of its breaches involve third-party vectors.
As business ecosystems become more networked, threat levels are compounding. With regulators highlighting third parties as a significant business risk, the report urges companies to take action. Implementing cyber risk monitoring, enforcing security standards, and increasing resilience across digital ecosystems can help mitigate potential impact.