The software and technology supply chain was the main vulnerability in most company data breaches.
As per a recent study released by SecurityScorecard, 75% of all third-party intrusions were directed towards software and technology supply chains. It is because threat actors may expand their activities in these areas “with minimal effort,” stated a Techradar report.
Furthermore, as of 2021, 75% of firms have manual third-party risk programmes, placing them at the “highest levels of maturity.” The researchers concluded that “companies must work toward automating vendor identification and cyber risk management across their entire digital ecosystem.”
Note that the MOVEit-controlled file transfer software was implicated in most breaches examined for this research. Threat actors could obtain sensitive user data by exploiting a vulnerability in this product.
MOVEit was implicated in over two-thirds (61%) of the third-party breaches. Worse, ransomware operators Cl0p were linked to 64% of all third-party intrusions, allegedly being the first to make use of the MOVEit weakness. Just 7% was occupied by LockBit, another notorious ransomware operation.
With 35% of all cyberattacks resulting from third-party breaches, the healthcare vertical was the most impacted of all the other industries. Hackers greatly value healthcare information.
Leaking it could result in a host of issues for the company that stole it, encouraging them to comply with any ransom demand. On the dark web, threat actors can also profitably sell it.
Ultimately, North America accounted for two-thirds (64%) of all third-party breaches, with 63% occurring in the US. SecurityScorecard notes that the data may be slightly skewed because the United States and other English-speaking nations are “overwhelmingly” the focus of the security sector and media.
Meanwhile, the report from software supply chain management specialist Sonatype showed that the year 2023 witnessed more software cyberattacks than the previous three years combined.
Sonatype’s “2023 State of the Software Supply Chain Report” indicated that the problem was compounded by the fact that a section of the software developers “needlessly download vulnerable open source software when there are newer and safer versions of those downloads readily available.”
Sonatype logged 245,032 malicious packages in 2023, and said that as many as one in eight open-source software (OSS) downloads in the year posed “known and avoidable risks”.