Full Report
Data from Resilience found that third-party attacks made up 23% of material cyber insurance claims in 2024, with ransomware attacks targeting vendors a major driver
Analysis Summary
# Incident Report: Rise of Third-Party Cyber Attacks in 2024
## Executive Summary
In 2024, cyber incidents driven by third-party vendor failures escalated significantly, becoming a major contributor to material financial losses for organizations. Ransomware targeting vendors accounted for 42% of third-party insurance claims, leading to material losses that were four times higher than in 2023. This trend signals a critical systemic risk associated with interconnected business systems and external dependencies.
## Incident Details
- **Discovery Date:** Data aggregated through February 27, 2025 (Year-end 2024 review).
- **Incident Date:** Primarily focused on incidents during the calendar year 2024.
- **Affected Organization:** Not specified for an aggregate report, but impacts major commercial entities reliant on third parties (e.g., automotive sector due to the CDK attack).
- **Sector:** Varied, impacting any sector utilizing third-party software or services.
- **Geography:** Global, with specific mention of impacts in the US and Canada (CDK attack example).
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout 2024.
- **Vector:** Ransomware targeting supply chain vendors; vendor security failures (e.g., software dependency issues like the CrowdStrike outage).
- **Details:** Threat actors increasingly targeting lower-security third parties to access larger downstream customers.
### Lateral Movement
- *Not explicitly detailed, but implied via successful ransomware execution within vendor environments.*
### Data Exfiltration/Impact
- **Data Stolen/Damaged:** Impact focused on operational disruption and high financial loss, exemplified by the automotive dealership downtime.
- **Financial Impact Drivers:** Ransomware attacks levied against vendors.
### Detection & Response
- **How it was discovered:** Through analysis of insurance claims filed during 2024.
- **Response actions taken:** Insurance underwriters are adjusting practices regarding third-party risk management.
## Attack Methodology
- **Initial Access:** Ransomware directed at third-party service providers (42% of third-party claims). Vendor security failings (e.g., software/security provider outages) (4% of material claims).
- **Persistence:** *Not detailed.*
- **Privilege Escalation:** *Not detailed.*
- **Defense Evasion:** *Not detailed, though effectiveness is implied by the success of ransomware in vendor environments.*
- **Credential Access:** *Not detailed.*
- **Discovery:** *Not detailed.*
- **Lateral Movement:** Movement from compromised vendor networks into client environments.
- **Collection:** *Not detailed.*
- **Exfiltration:** *Implied as part of ransomware execution and financial loss.*
- **Impact:** Operational downtime (e.g., CDK impact on dealerships), resulting in material financial losses.
## Impact Assessment
- **Financial:** Material financial losses from third-party claims increased four-fold compared to 2023. Third-party risks accounted for 23% of all material losses. Overall, ransomware accounted for 62% of claims with losses.
- **Data Breach:** Not quantified specifically, but operational and financial disruption was severe.
- **Operational:** Significant operational disruption observed across customer bases of compromised vendors (e.g., automotive industry downtime).
- **Reputational:** *Not detailed.*
## Indicators of Compromise
- **Network indicators:** *None provided; this report focuses on high-level trends.*
- **File indicators:** *None provided.*
- **Behavioral indicators:** Increased focus by threat actors on high-profile, high-payout targets over "spray and prey" tactics.
## Response Actions
- **Containment measures:** *Not detailed, focus is on upstream analysis.*
- **Eradication steps:** *Not detailed.*
- **Recovery actions:** Underwriting practices of insurance companies are being adjusted to better reflect third-party risk.
## Lessons Learned
- Interconnected systems and reliance on external vendors create significant, growing vulnerabilities.
- Supply chain targeting is now a highly effective strategy for generating material financial returns for threat actors.
- Phishing defenses appear to be improving, potentially causing threat actors to shift focus to vendor compromise.
- Transfer fraud, often leveraging AI-enhanced social engineering, is increasing significantly.
## Recommendations
- Organizations must rigorously strengthen internal controls and implement robust verification processes for all financial transactions to combat rising transfer fraud.
- Organizations must critically assess and mitigate third-party risk across the entire vendor ecosystem, as vendor security failures directly translate to substantial client losses.
- Continue to invest in end-user training and phishing defenses, although focus needs to pivot toward resilience against third-party breaches.