Virtualization Technology News and Information
SecurityScorecard Third-Party Breach Report Reveals Software Supply Chain as Top Target for Ransomware Groups

SecurityScorecard released its Global Third-Party Cybersecurity Breach Report. Using the world's largest proprietary risk and threat data set, SecurityScorecard STRIKE threat hunters analyzed threat groups' mass exploitation of supply chain vulnerabilities.

Key findings include:

  • 75% of third-party breaches targeted the software and technology supply chain
    Technology supply chain vulnerabilities enable threat actors to scale their operations with minimal effort. With 75% of organizations at the highest levels of maturity saying their third-party risk program is manual as of 2021, companies must work toward automating vendor identification and cyber risk management across their entire digital ecosystem.
  • 64% of third-party breaches linked to C10p
    Notorious cybercrime group C10p was responsible for 64% of attributable third-party breaches in 2023, followed only by LockBit at a mere 7%. C10p's dominance was fueled by extensive attacks exploiting a critical zero-day vulnerability in MOVEit software.
  • 61% of third-party breaches attributed to MOVEit (CVE-2023-34362)
    The three most widely exploited vulnerabilities (MOVEit, CitrixBleed, and Proself) were involved in 77% of all third-party breaches involving a specified vulnerability. One reason for the widespread impact of the MOVEit zero-day was that it enabled third-party, fourth-party, and even fifth-party compromises.
  • At least 29% of breaches have third-party attack vectors
    STRIKE found that approximately 29% of all breaches in 2023 were attributable to a third-party attack vector. This number likely underestimates the actual percentage, as many reports on breaches do not specify an attack vector.
  • 35% of third-party breaches affected healthcare organizations
    Healthcare and financial services emerged as the sectors most heavily impacted by third-party breaches, with healthcare accounting for 35% of total breaches and financial services accounting for 16%.
  • 64% of all third-party breaches occurred in North America
    The U.S. alone represents 63%. However, geographic variations may be harder to detect due to the overwhelming focus of news media and security vendors on breaches in the U.S. and other English-speaking countries.
  • 48% of all breaches in Japan involved a third-party attack vector
    While third-party breaches are common globally, Japan stood out with a significantly higher rate. As a hub for automotive, manufacturing, technology, and financial services, Japanese companies face significant supply chain cyber risk due to international dependencies.

Covering adversary activity in 2023, the report is the first to use SecurityScorecard's new BreachDetails threat intelligence solution. With BreachDetails, SecurityScorecard increased the level of breach data coverage by 50% compared to other breach notice providers by using AI to analyze news articles, ransomware notifications, and international sources.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, SecurityScorecard, said:
"The supplier ecosystem is a highly desirable target for ransomware groups. Third-party breach victims are often not aware of an incident until they receive a ransomware note, allowing time for attackers to infiltrate hundreds of companies without being detected."

Third-party cyber risk is a business risk
As cited by the new SEC cybersecurity incident disclosure requirements, SecurityScorecard discovered that 98% of organizations have a relationship with a third party that has been breached. According to Gartner Research, "The cost of a third-party cyber breach is typically 40% higher than the cost to remediate an internal cybersecurity breach." With the average cost of a data breach reaching $4.45 million in 2023, organizations must proactively operationalize supply chain cyber risk management to mitigate business risk.

Dr. Aleksandr Yampolskiy, CEO and Co-Founder, SecurityScorecard, stated:
"In the digital age, trust is synonymous with cybersecurity. Companies must improve resilience by implementing continuous, metrics-driven, business-aligned cyber risk management across their digital and third-party ecosystems."

For more in-depth analysis and to download the report, visit:

Published Wednesday, February 28, 2024 9:32 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2024>