Three-quarters of third-party breaches targeted software supply chain
Software supply chains were the target for 75% of third-party ransomware attacks last year, according to a global cybersecurity study by SecurityScorecard, which says cyberattackers are conducting mass exploitation of vulnerabilities in supply chain technology.
“Technology supply chain vulnerabilities enable threat actors to scale their operations with minimal effort,” the US-based cybersecurity ratings firm warns.
Publishing its Global Third-Party Cybersecurity Breach Report, SecurityScorecard finds North America accounted for 64% of third-party breaches in 2023 while Europe only accounted for 9%. SecurityScorecard reveals Japan recorded a significantly higher rate of breaches involving third-party attack vectors at 48%.
“As a hub for automotive, manufacturing, technology, and financial services, Japanese companies face significant supply chain cyber risk due to international dependencies,” the report says.
SecurityScorecard identifies cybercrime group C10p as responsible for 64% of attributable third-party breaches in 2023, driven by the MOVEit attack, followed by LockBit at 7%. The MOVEit attack accounted for 61% of all third-party breaches last year.
“One reason for the widespread impact of the MOVEit zero-day was that it enabled third-party, fourth-party, and even fifth-party compromises,” SecurityScorecard says.
The report also finds 75% of organisations admit their third-party risk programmes are manual, as of 2021. “Companies must work toward automating vendor identification and cyber risk management across their entire digital ecosystem,” it says.
Healthcare and financial services emerge as the sectors most affected by third-party breaches, SecurityScorecard says, with healthcare accounting for 35% of total breaches and financial services accounting for 16%.
Ryan Sherstobitoff, senior vice-president of threat research and intelligence at Security Scorecard, says: “The supplier ecosystem is a highly desirable target for ransomware groups. Third-party breach victims are often not aware of an incident until they receive a ransomware note, allowing time for attackers to infiltrate hundreds of companies without being detected.”
Dr Aleksandr Yampolskiy, CEO and co-founder of SecurityScorecard, adds: “In the digital age, trust is synonymous with cybersecurity. Companies must improve resilience by implementing continuous, metrics-driven, business-aligned cyber risk management across their digital and third-party ecosystems.”