"Silent breaches" within interconnected ecosystems dominated the third-party breach landscape in 2024, a report by cyber-risk intelligence company Black Kite has found.
In a silent breach, threat actors capitalize on systemic vulnerabilities to hijack trusted vendor relationships as gateways. In 2024, the annual report noted, silent breaches created disruption with cascading effects that wreaked havoc on industries such as health care, retail, and logistics. The report is based on an analysis of public breach disclosures and regulatory filings, data collected by Black Kite researchers, and input from industry research and thought leaders.
Jeffrey Wheatman, Black Kite’s senior vice president and cyber-risk strategist, said organizations need to recognize the threat posed by silent breaches.
“Because our digital ecosystems are so complicated, we frequently don't even know where our dependencies are and where some of these software packages sit within our partners or their partners. We saw some examples of this around MOVEit, Snowflake, and, recently, CrowdStrike. Most organizations had no idea how exposed they were to these commonly used but not highly advertised products.”
—Jeffrey Wheatman
The interconnectedness of today's software development drives progress, but it also heightens risk, said Black Kite's chief research and intelligence officer, Ferhat Dikbiyik, who issued a statement about the report:
"Because of our increasing reliance on software platforms and tools, the exploitation of a single vulnerability can have a catastrophic impact. Amidst these challenges, critical lessons emerged, revealing pathways to resilience and improved cybersecurity practices."
—Ferhat Dikbiyik
Here are key lessons from the report for your security team.
[ Learn more with our Essential Guide: Software Supply Chain Security for Dummies ]
1. Trusted-vendor relationships have become attack gateways
Of the systemic vulnerabilities in third-party relationships that can be exploited by threat actors, Wheatman said, continuing trust can be the most pernicious. In fact, one-fourth of third-party breaches start with a trusted vendor.
“There is an assumption that because there used to be a reason to trust a partner, you should continue to trust them. [But] just because they were good when you onboarded them doesn't mean they will continue to be good, and we see this frequently in vendor ecosystems."
—Jeffrey Wheatman
Another systemic problem is to focus on potential risks from direct partners in the supply chain while giving little thought to risks posed by fourth parties and beyond. Because those relationships are not close, they too often aren't examined, Wheatman said, "but we have seen over and over again that separation from a direct connection doesn't necessarily mean there's no risk there.”
Jim Routh, chief trust officer at Saviynt, said compromised credentials are another problem with interconnected ecosystems. “The setup and management of third-party digital identities are often performed by enterprise employees with limited skill in identity access management, partially because the IAM teams are overwhelmed with requests and partly because third-party risk management staff don’t know IAM practices,” he said.
“Credentials can be harvested from phishing attacks targeting the third-party staff, spoofing service calls and messaging and using deepfakes to mimic the third-party staff on video calls and online."
—Jim Routh
Excessive permissions are another major risk, said Akhil Mittal, a senior manager at Black Duck Software.
“Vendors often have more access than they need. If one is breached, attackers can move laterally and escalate their attack. Poor segmentation makes this even worse. When vendor access isn’t properly isolated, a breach in one system can quickly spread.”
—Akhil Mittal
2. Network access is inadequately controlled
Unauthorized access accounted for more than 50% of publicly disclosed third-party breaches in 2024, the report found.
“The controls that should be implemented to manage unauthorized network access aren't new. These are things that are basic blocking and tackling, and we should have been focusing on them for a number of years. But at a high level, there are a handful of controls that are part of the standard of due care, which are must-have things.”
—Jeffrey Wheatman
Those must-haves include multifactor authentication (MFA); role-based access control; network security controls such as firewalls, intrusion detection/prevention systems, network segmentation, and VPNs; endpoint security tools such as anti-malware, endpoint detection and response, and device authentication; and monitoring and logging procedures for access and data usage, including proper governance, awareness, and incident response.
Erich Kron, a security awareness advocate at KnowBe4, said the term "unauthorized network access" is vague but typically refers to non-employees, including contractors, gaining access to an organization's network.
“This can happen many ways: poor credential hygiene, malware introduced through email or a malicious website, misconfigured security."
—Erich Kron
Because unauthorized network access is often gained by tricking humans to give up information, one of the best countering measures is a well-designed and -executed human risk-management program, Kron said. Such programs should include technical controls that look for malware in emails as well as employee education and training in areas such as identifying phishing and reporting suspicious activity. Also important are using unique, complex, and long passwords as well as MFA to protect accounts, and strictly enforcing security-focused policies and procedures to all vendors, whether new or established.
3. Ransomware remains one of the most disruptive cyberthreats
Ransomware accounted for 66.7% of known attack methods in 2024 — with attackers increasingly leveraging third-party vectors to amplify their impact. Darren Guccione, CEO of Keeper Security, said ransomware attacks increasingly leverage third-party vendors as high-value entry points, allowing attackers to scale their impact across multiple organizations.
“Compromised vendors with broad access to client systems enable attackers to deploy ransomware through software updates, shared authentication mechanisms, or direct access to critical infrastructure. Poor segmentation within supply chains further exacerbates this risk, allowing lateral movement across connected networks.”
—Darren Guccione
To mitigate those threats, Guccione recommends that organizations enforce strict access controls and ensure that vendors meet recognized security certifications and authorizations, such as FedRAMP, SOC 2 Type 2, and ISO 27001, 27017, and 27018. “These certifications demonstrate that the supplier has established robust security controls, risk management practices, and internal audits,” Guccione said.
Privileged access management is essential in both preventing and limiting the damage of breaches, by ensuring that privileged credentials are tightly controlled, rotated, and monitored, Guccione said. “A proactive defense strategy — built on strong authentication, network segmentation, and continuous monitoring — ensures that third-party relationships don’t become liabilities in the fight against ransomware.”
Black Duck’s Mittel said that’s how ransomware attackers operate. Attackers take advantage of trusted software updates by inserting malicious code, as seen in past supply chain attacks like SolarWinds and Kaseya.
“Why target one company when hacking a single vendor opens the door to dozens?”
—Akhil Mittal
Managed service providers are another prime target, Mittal said. Through a breached MSP, attackers can push ransomware to all its clients. “Weak vendor passwords and cloud misconfigurations make their job even easier. Many vendors still use outdated passwords or hardcoded credentials left exposed online. Attackers don’t need advanced tools when stolen logins are already waiting for them on the dark web,” he said.
4. Vulnerabilities continue to pose significant risks
Vulnerabilities, including zero-days, predominantly affected internet-facing network devices, operating systems, and widely used applications, underscoring the continued reliance of attackers on unpatched or misconfigured systems, the report said.
Black Kite's Wheatman said software bills of materials can help, although the push for SBOMs has stalled in many areas. “We’ve also seen an uptick in contractual requirements to ensure that software products are patched consistently,” he said.
“We also hear a lot of buzz around mandatory patching and update pushes. But, to be quite honest, I am not necessarily a fan of that. We would be reliant on testing by third parties, and we know that that doesn't necessarily always work well.”
—Jeffrey Wheatman
He said there's promise in holding software vendors liable for common problems in their software, especially open vulnerabilities and things they should have known about and taken care of. “But again, we must be careful about pushing all that back on the software vendors,” Wheatman said.
Mittel said he has seen organizations assume that vendors keep their own software updated, only to find out they don’t. “Delays in patching create easy entry points, but the bigger problem is visibility,” he said.
“Most organizations have no idea what’s running inside their vendor’s systems. That’s how a single unpatched open-source vulnerability can spread across entire industries.”
—Akhil Mittal
Mittal said every organization should demand an SBOM. “If you don’t know what’s inside your software supply chain, you’re flying blind,” he said. “The best approach isn’t just giving vendors a checklist — it’s working with them regularly to ensure updates and security settings are in place. Setting clear patching timelines in contracts keeps vendors accountable. When organizations and vendors collaborate on vulnerability management, attackers have fewer security gaps to exploit,” he said.
5. The supply chain is being attacked for a reason
The number of third-party breaches indicates a growing preference for software supply chains attacks, Wheatman said.
“I am reminded of the old quote from bank robber Willie Sutton. When asked why he robbed banks, his reply was, 'That's where the money is.' Attackers and bad actors will take the easiest pathway. Why work super hard when they don't have to?”
—Jeffrey Wheatman
And the software supply chain is a big target because companies are currently running and living in a software-driven environment, he said. “Need an answer? Buy a piece of software. Have a problem? Buy software.”
“And we are moving back toward a monoculture, Wheatman said. “There are a handful of very large providers out there that are providing services for a huge proportion of organizations across the world. Therefore, one breach becomes an issue for thousands, tens of thousands, or hundreds of thousands of organizations,” he said.
Dealing with silent breaches requires good hygiene — and modern tooling
Black Duck's cybersecurity practice lead, John Waller, said that when organizations have inherent trust in their software vendors, attackers have an easier time infiltrating systems through legitimate updates and integrations — making detection more challenging and the potential impact more significant.
“As businesses further digitize their operations, they rely heavily on interconnected software and services, creating more entry points for exploitation. This accelerating shift emphasizes the need for robust supply chain security measures to manage software risk and prevent such widespread, and often devastating breaches.”
—John Waller
To address third-party risks, Wheatman said, organizations must identify their critical vendors and make cybersecurity requirements part of their contracts. He also advised implementing continuous monitoring of third-party tools for conducting vulnerability assessments, penetration testing, and other security tasks. But he recommends collaborating with vendors, not policing them.
Heath Renfrow, co-founder and CISO of Fenix24, said third-party risk assessments should be continuous.
“Don’t rely solely on annual audits.”
—Heath Renfrow
Renfrow also recommends that obligations in third-party contracts include mandatory patching timelines, MFA, and logging. Additionally, organizations should deploy zero-trust models — that is, assume that any third-party access could be compromised at any time — and prioritize incident response readiness so that a clear plan is in place should a vendor be breached.
Keeper Security’s Guccione said privileged access management can be particularly useful for mitigating risks from supply chain attacks via third-party vendors. “It enforces strict access controls, limiting the scope and impact of any potential breach. It also supports rapid response to security incidents by allowing immediate revocation or modification of access credentials when necessary.”
Mittal said that preventing third-party breaches isn’t about installing one tool and calling it a day.
“It’s about building a security-first culture — where vendor security is treated as seriously as internal security. Over the years, I have found that the strongest defenses are built on clear expectations, ongoing assessments, and open communication between organizations and their vendors.”
—Akhil Mittal
ReversingLabs’ director of product management, Charlie Jones, explained recently in an Open Source Security Foundation blog post that the attack surface within software supply chains has grown exponentially. Because of this, it has become even more difficult for organizations to manage risks that stem from open-source, proprietary, and commercial off-the-shelf software. To address these risks head on, Jones urges organizations to look beyond traditional application security technology to tactical binary analysis to properly secure their supply chains.
“Compromises such as those of VoIP provider 3CX highlight the gaps in software supply chain security — and the need for a new approach to supply chain risk management.”
—Charlie Jones
