2024 Risk Management: Supply Chain and Third-Party Risk Challenges

Top Risk Management, Third-Party Risks and Supply Chain Threat Actors: The City’s Hidden Cracks

2024 Risk Management - Supply Chain and Third-Party Risk Challenges

The Cyber Siege of 2024: Risk Management

Imagine 2024 as a sprawling digital city—a buzzing hub of clouds, supply chains, and edge defenses, all stitched together by trust and tech. But the shadows struck hard. The 2024 risk management was complex with ransomware crews like LockBit and ALPHV stormed the gates, snagging $75 million from Dark Angels and $22 million from Change Healthcare’s 100 million stolen records, with industrial hits spiking 87%. Infostealers like Lumma pickpocketed creds, fueling Snowflake’s 165-victim breach, while edge devices—Ivanti VPNs, Palo Alto firewalls—cracked under zero-days, some swelling Raptor Train’s 200,000-bot army. Cloud towers teetered as misconfigs and stolen AWS keys bled data, and BEC scams faked CEOs to drain funds, slick as vishing calls.

Inside, legit tools like AnyDesk turned rogue, OT/ICS grids flickered under AcidPour, and network appliances—Citrix, Fortinet—fell to flaws like CVE-2024-3400, letting spies and BianLian in. Insiders like FAMOUS CHOLLIMA swiped IP, and phishing nets—71% hooked by AI lures—drove 14% of breaches, with SCATTERED SPIDER nabbing CFO creds. Supply chains buckled as MSPs and PyPI’s 500+ malicious packages got hit, third parties leaked via weak SSO, and zero-days like CVE-2024-24919 stung fast. Cloudflare’s record DDoS rained from hacked routers, IRS scams fleeced taxpayers, and over 250 high-severity vulns kept the city on edge. This was war—every crack exploited, every trust tested. Here’s the tale of what happened in 2024 risk management, plus what’s brewing for 2025.
Trifeca Software, Supply, 3rd Party Risks

Trifecta Supply Chain, Software Supply Chain, 3rd Party, and Infrastructure Cybersecurity Risks 

Supply Chain Risks: The Backdoor Blitz

Imagine 2024’s supply chain as a bustling trade route—vital but riddled with weak spots. MSPs were the soft underbelly, low on cyber muscle, making them perfect tunnels for crooks to hit SMBs with sneaky, small-scale payloads that dodged the spotlight. OT/ICS gear got tripped up by third-party parts—like the Siemens RUGGEDCOM APE1808, rocked by Palo Alto’s CVE-2024-3400 flaw—turning one bug into a system-wide meltdown. IABs turned interconnected systems into a goldmine, peddling access to third-party providers and watching downstream partners fall like dominoes. And with third parties often seen as lighter on security than the big dogs, attackers hit them to ricochet damage upstream—supply lines became a battlefield of trust.
  • Compromise of MSPs: Threat actors increasingly target Managed Service Providers (MSPs) with fewer cybersecurity resources as a gateway to attack their small and midsized business (SMB) customers, aiming for multiple small payloads to avoid attention.
  • Third-Party Components in OT/ICS: Third-party components integrated into OT equipment can have vulnerabilities compromising entire products; the Siemens RUGGEDCOM APE1808, using Palo Alto Networks PAN-OS, was susceptible to CVE-2024-3400, highlighting this risk.
  • Exploitation of Interconnected Systems: Initial Access Brokers (IABs) are increasingly seeking to monetize access to third-party service providers, enabling compromise of downstream operating partners and organizations reliant on interconnected systems.
  • Weak Security Posture of Third Parties: Threat actors perceive third-party providers as having weaker security postures than larger organizations, making them attractive targets to impact larger entities.
  • Survey Prevalence: Supply chain risk emerged as one of the most prevalent attack types reported by survey participants in 2024, signaling its growing significance.
  • Compromised Edge Devices as Launch Points: Compromised edge devices serve as launching points for attacks on partners and vendors, amplifying supply chain vulnerabilities.
  • NIS2 Directive Emphasis: The NIS2 directive in EMEA emphasizes supply chain security, requiring organizations to adopt a proactive and comprehensive approach to protect interconnected systems.

Third-Party Risk Management: The Trusted Turncoats

Trusted partners turned into ticking time bombs. Inadequate logging left blind spots—Dragos caught a legacy vendor link in an OT network just before ransomware struck, dodging disaster by a hair. Overprivileged Azure accounts—no MFA in sight—got jacked, handing attackers cloud keys like a gift. Relying on external SSO providers felt like betting the house on someone else’s lock, and without a vendor management program, SaaS partners were wild cards—trust became a gamble with steep odds.
  • Inadequate Logging: Inadequate logging in third-party connections can leave networks open to compromise; Dragos identified a legacy vendor connection in an OT network before ransomware hit, preventing harmful exposure.
  • Abuse of Overprivileged Accounts: Attackers exploit overprivileged Azure accounts from third-party vendors lacking MFA to access cloud environments.
  • Reliance on Third-Party Security: Dependency on external Single Sign-On (SSO) providers raises concerns about third-party security practices.
  • Vendor Management Programs: A robust vendor management program is crucial to assess and regularly review a SaaS provider’s security posture. 
  • User Awareness Need: Users need heightened awareness of supply chain risks to mitigate vulnerabilities stemming from third-party dependencies.
  • Monitoring for Visibility: Continuously monitoring third- and fourth-party risks enables visibility into security issues and fosters collaboration on remediation efforts.

Software Supply Chain Risks: The Poisoned Code

The software pipeline turned into a rogue’s gallery. Attacks surged—hardware and software supply chains took the hardest hits of 2024. Malicious PyPI packages—over 500 typosquatting fakes—slipped into dev hands, ready to swipe PII or drop malware like a Trojan horse in a candy store. It was a feeding frenzy on trust, and the code itself became the weapon.
  • Surge in Attacks: Hardware and software supply chains saw the highest surge in attack attempts.
  • Malicious Packages: Check Point researchers detected a typosquatting campaign with over 500 malicious packages on PyPI (Python Package Index), posing risks of PII theft and malware installation. 

Infrastructure & Cyber Risks: The Shaky Foundations

The city’s backbone trembled. Cloud complexity overwhelmed admins—too many providers, too many gears—leaving misconfigs like open S3 buckets and Azure gateways as welcome mats for intruders. Hybrid networks let crooks hop from on-prem to cloud like cat burglars on rooftops. Edge devices—firewalls, VPNs—stood as battered gates, hit by a sharp spike in attacks and repurposed for deeper raids. Unpatched systems were low-hanging fruit, and ORBs—China’s Raptor Train botnet, run by Flax Typhoon—turned compromised edges into 200,000-strong spy hubs for DDoS and espionage. The city’s skeleton was creaking under the strain.
  • Cloud Infrastructure Complexity: The complexity of administering cloud infrastructure creates vulnerabilities due to numerous providers, services, and security mechanisms, often overwhelming administrators and leading to misconfigurations and privilege escalation paths.
  • Misconfigured Cloud Resources: Misconfigured cloud storage (e.g., Amazon S3 buckets, Azure Blob Storage) and gateways create opportunities for unauthorized access.
  • Hybrid Networks: Hybrid networks enable lateral movement between on-premise and cloud environments.
  • Edge Devices: Edge devices like firewalls and VPN appliances remain high-value targets due to unresolved security shortcomings and internet exposure, with a sharp increase in attack attempts in 2024; threat actors repurpose them for broader network penetration.
  • Lack of Patching: Unpatched software and misconfigured systems are frequently targeted for unauthorized access.
  • Operational Relay Boxes (ORBs): China-nexus actors use ORB networks to obscure traffic and target edge devices; the Raptor Train botnet, orchestrated by the Chinese APT group Flax Typhoon, uses compromised edge devices for C2, DDoS attacks, and espionage.
  • Unmanaged Internet-Exposed Hosts: Exploiting unmanaged internet-exposed hosts, particularly network appliances, remained a popular initial access vector in 2024.
  • Limited EDR Visibility: Threat actors continued targeting devices in the network periphery, where traditional Endpoint Detection and Response (EDR) visibility is often limited.
  • Patching Priority: Organizations must prioritize regular patching or upgrading of critical systems, especially internet-facing services like web servers and VPN gateways, to reduce risk exposure.
Rusty Hinges

Vulnerabilities to Third Party Risk: The Rusty Hinges

The locks were old and rusty, and attackers knew it. Rapid exploitation hit within two days of a public demo—75% of the time, they’d strike in four days or less. Public-facing apps drew more heat from 2023 to 2024, with critical, easy-to-crack bugs as prime targets. Exploit chaining—think Palo Alto PAN-OS and Cisco IOS combos—kept defenders dizzy, while old vulnerabilities in EOL servers lingered like ghosts. Network appliances—Ivanti, Citrix, Fortinet—took big hits, and OT/ICS flaws with PoCs threatened to blind and paralyze industrial ops. Every hinge was a weak link waiting to snap.
  • Rapid Exploitation: Threat actors exploit vulnerabilities within two days of a public working example; 75% of the time, exploitation starts within four days or less of demonstration.
  • Focus on Public-Facing Applications: Adversaries targeting public-facing applications increased between 2023 and 2024, favoring critical, remotely exploitable vulnerabilities requiring no privileges or user interaction and low complexity.
  • Exploit Chaining: Threat actors increasingly use exploit chaining, as seen with Palo Alto Networks PAN-OS and Cisco IOS vulnerabilities.
  • Re-emergence of Old Vulnerabilities: Exploitation of older vulnerabilities in external-facing assets, especially servers with end-of-life operating systems, remains a risk.
  • Vulnerabilities in Network Appliances: Many impactful 2024 vulnerabilities affected network appliances like Ivanti Connect Secure, Palo Alto GlobalProtect, Citrix, and Fortinet.
  • OT/ICS Vulnerabilities: A significant percentage of OT/ICS vulnerabilities have a Proof-of-Concept and are actively exploited, potentially causing both a loss of view and control in industrial processes.
  • User Behavior Risks: Users taking risks with suspicious links, attachments, or weak passwords face increasing threats, amplifying vulnerability exposure.
  • High-Severity Tracking: In 2024, over 250 high-severity vulnerabilities were tracked, underscoring the scale of the challenge.
  • Public-Facing Application Surge: Exploitation of public-facing applications initiated 23% of active intrusions, a rise likely driven by over 2,000 critical vulnerabilities identified in 2024.
  • Rapid Emergence of New Threats: The rapid emergence of new vulnerabilities, particularly zero-day attacks, poses a significant ongoing challenge.
Zero Day

Zero-Day Exploits: The Silent Strikes to Supply Chain Risk Management

The shadows struck without warning. Zero-day disclosures spiked in 2024, hitting edge devices like Ivanti and Palo Alto PAN-OS with surgical precision. Nation-states and ransomware crews pounced, exploiting these unknowns—patching was a nightmare, with critical network roles keeping fixes at bay. Pro-PRC actors turned vuln hunting into an industry, stockpiling zero-days like ammo. These invisible daggers cut deep, and the city barely saw them coming.
  • Increased Disclosure: The number of disclosed zero-day vulnerabilities affecting edge devices significantly increased in 2024.
  • Exploitation by Various Actors: Both nation-state actors and ransomware groups exploited zero-days in edge devices like Ivanti Connect Secure and Palo Alto Networks’ PAN-OS.
  • Difficulty in Patching: Edge devices with zero-day exploits are hard to patch due to their critical network role, risking operational consequences if services are shut down.
  • Industrialized Collection: Pro-PRC actors are industrializing the collection of software vulnerabilities, driving zero-day exploitation.
  • Check Point Disclosure: Check Point disclosed a zero-day VPN Information Disclosure vulnerability (CVE-2024-24919) in their own product, promptly releasing a patch to mitigate the risk.
  • APT31 Exploitation: APT31, a Chinese hacker group, leveraged zero-day vulnerabilities in their operations.
  • CVE-2024-21287 Chaining: In September 2024, an unknown threat actor exploited and chained a zero-day file disclosure vulnerability (CVE-2024-21287) with a known deserialization vulnerability, demonstrating sophisticated attack chaining.
Threat Actors

Threat Actors: The Rogues’ Roundup

The culprits were a rogue’s gallery. Nation-states—China, Russia, Iran—played spy games, spun AI disinformation, and hit critical infrastructure; China zeroed in on tech production. Cybercrime crews sharpened their claws: ransomware gangs like LockBit and Black Basta shifted to data theft, IABs sold network keys like street vendors, and infostealers sprayed and prayed for creds. Hacktivists eyed OT/ICS for chaos. This wasn’t a lone wolf—it was a pack, tearing at every seam.
  • Nation-State Actors: China, Russia, and Iran are actively involved in cyber espionage, disinformation campaigns (leveraging AI), and targeting critical infrastructure; Chinese state-linked actors focus on technology production.
  • Cybercrime Groups: Include ransomware affiliates, Initial Access Brokers (IABs), and infostealer operators, becoming more specialized and effective.
  • Ransomware Groups: Ransomware remains a significant threat, with prominent groups like LockBit, ALPHV, RansomHub, BlackCat, Akira, and Black Basta shifting towards data exfiltration and extortion.
  • Initial Access Brokers (IABs): Critical to the cybercrime ecosystem, selling access to compromised networks often obtained through infostealers or vulnerability exploitation.
  • Hacktivists: Increasingly aware of OT/ICS environments as potential attack vectors.
  • Cybercriminal Innovation: Cybercriminals devised new and sophisticated attack methods, enhancing their effectiveness in 2024.
  • State-Affiliated AI Abuse: State-affiliated threat groups from Russia, China, and Iran abused ChatGPT to bolster their operations.
  • China-Nexus Surge: China-nexus adversaries were the most active targeted intrusion threats, increasing by 150% in activity.
  • OPERATOR PANDA: OPERATOR PANDA, a China-nexus adversary, likely chained Cisco IOS vulnerabilities to execute attacks.
  • SCATTERED SPIDER: SCATTERED SPIDER obtained API keys for phishing campaigns, showcasing their tactical adaptability.
  • Atlas Lion: Atlas Lion abused SaaS applications for gift card fraud, highlighting niche cybercrime tactics.
  • BianLian Targeting: The BianLian ransomware group attempted to exploit the Palo Alto Networks PAN-OS vulnerability against industrial organizations.
  • U.S. Government Focus: China, Russia, and Iran will continue targeting the U.S. government with advanced tactics.
Major Incident & Vendor Risks

Major Incidents & Vendor Risks in 2024: The Big Heists

The city rocked from 2024’s blockbuster breaches. Ivanti Connect Secure VPNs got swarmed after zero-day leaks, even rattling CISA. Snowflake’s mega breach bled data from 165 orgs—infostealers and no MFA were the culprits. Change Healthcare coughed up months of chaos and 100 million patient records to ransomware. The 2024 risk management saw Palo Alto PAN-OS fell to remote code and MFA bypasses, while a Citrix misconfig handed over admin keys. FortiClient EMS got hit with SQL injection (CVE-2023-48788), running wild as SYSTEM. Cloudflare dodged a record DDoS barrage from hacked ASUS routers, and Outlook’s CVE-2023-23397 got phished hard. ScreenConnect (CVE-2024-1708, -1709) and Cleo Harmony (CVE-2024-50623) rounded out the chaos—remote code was the prize. It was a year of big scores and bigger messes.
  • Ivanti Connect Secure VPN Exploitation: Mass exploitation followed zero-day vulnerability disclosure, impacting victims like CISA.
  • Snowflake Mega Data Breach: Exposed sensitive information from over 165 organizations due to stolen credentials via infostealers and lack of MFA.
  • Change Healthcare Ransomware Attack: Resulted in months of disrupted service and theft of over 100 million patient records.
  • Palo Alto Networks PAN-OS Vulnerabilities: Exploited for remote code execution and multifactor bypass.
  • Citrix Appliance Exploitation: Misconfigured appliance led to authentication bypass and administrative control.
  • FortiClient EMS SQL Injection Vulnerability (CVE-2023-48788): Exploited to execute commands as the SYSTEM user.
  • Cloudflare DDoS Campaign: A months-long, high-volume DDoS attack originated from compromised devices, including ASUS home routers exploited via a critical vulnerability.
  • Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397): Exploited via phishing emails.
  • ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708, CVE-2024-1709): Exploited in attacks.
  • Cleo Harmony, VLTrader, and LexiCom Vulnerability (CVE-2024-50623): Exploited for remote code execution.
  • IRS Refund Scams: Scam attacks targeted U.S. taxpayers’ IRS refunds, leveraging tax season vulnerabilities.
  • Multiple PAN-OS Chaining: Multiple unattributed threat actors chained vulnerabilities in Palo Alto Networks PAN-OS software, amplifying the impact.
  • BianLian Industrial Hit: The BianLian ransomware group attempted to leverage a Palo Alto Networks PAN-OS vulnerability against industrial organizations, though specifics on success remain unclear.
Predictions for 2025

Third-Party Risk Management Predictions for 2025: The Next Wave of Supply Chain Risks

The horizon darkened for 2025—a storm brewed. Ransomware will roar past 2024, with RansomHub and BlackLock leading the charge. SaaS exploitation will lure data hunters and sideways movers, while GenAI sharpens phishing, social engineering, and disinformation into razor-edged tools. IABs will keep cashing in, hitting third-party weak links hard. Geopolitics will stir the pot, and network periphery attacks—EOL gear included—will stay relentless. Cyber tools will go mainstream, letting rookies swing big, and vendor targets will multiply in supply chain raids. Cloud platforms will rise as cyber shields, with AI weaving tighter nets, and cloud security will grab sharper focus as threats swell. The city’s braced, but the next wave’s coming fast.
  • Ransomware Surge: Attacks are set to surge throughout 2025, surpassing 2024 levels; RansomHub and BlackLock are expected to be prominent.
  • Increased Focus on SaaS Exploitation: Adversaries will likely seek advanced exploitation opportunities across cloud-based SaaS applications for data access and lateral movement.
  • GenAI for Enhanced Attacks: Malicious actors will almost certainly harness GenAI to enhance existing tactics, particularly for social engineering, phishing, and disinformation.
  • Persistent Threat from IABs: Initial Access Brokers will very likely remain a significant threat, increasingly targeting third-party service providers.
  • Geopolitical Influence on Cyber Threats: The convergence of cyber and geopolitical spheres will continue to shape threat activity.
  • Continued Exploitation of Network Periphery: Threat actors are expected to aggressively target network periphery devices, especially network appliances and end-of-life products.
  • Democratization of Cyber Capabilities: Less-skilled actors will have more opportunities for sophisticated attacks due to advanced tools and “as-a-service” resources.
  • Expansion of Targeted Vendors: The number and variety of targeted vendors in supply chain attacks are expected to grow.
  • Cloud Platforms as Cybersecurity Backbone: Cloud-based platforms will increasingly serve as the foundation for cybersecurity, with AI-driven integration becoming more effective.
  • Increased Focus on Cloud Security: Organizations will prioritize cloud security due to rising threats.
  • Public-Facing Exploitation Continuity: Exploitation of public-facing applications is highly likely to continue as a dominant attack vector.
  • Pro-PRC Custom Malware: Pro-PRC actors will likely continue deploying custom malware for embedded systems and targeting network edge devices.
  • NIS2 Reshaping EMEA: The NIS2 directive will significantly reshape cybersecurity practices across EMEA, enforcing stricter supply chain and risk management standards.
Cyber Scars

The Cyber Scars and the Third Party Risk Standing for 2025

As 2024’s smoke cleared, the digital city stood scarred but defiant. Ransomware left ruins—Change Healthcare’s 100 million-record heist and an 87% industrial surge marked the toll, while infostealers turned Snowflake’s 165 orgs into cautionary tales. Edge devices—Ivanti, Palo Alto—lay breached, feeding botnets and zero-day chaos like CVE-2024-21287, with cloud breaches spilling from S3 misconfigs and API flops. BEC conned with fake invoices, RMM tools like ScreenConnect opened ransomware doors, and OT/ICS grids dimmed under FrostyGoop. Network appliances fell to Fortinet and Cleo bugs, insiders like FAMOUS CHOLLIMA walked off with code, and phishing’s 71% catch rate—amped by GenAI—fueled 14% of breaches.
 
Supply chains reeled from 2024 risk management effects such as the MSP hits and PyPI’s 500+ fakes, third parties faltered with poor logging, and vulns—over 250 high-severity—hit public apps (23% of intrusions) within two days of PoCs. Cloudflare’s DDoS and NFT scams capped a brutal year. Now, 2025 looms—ransomware will surge with RansomHub and BlackLock, SaaS and cloud will draw more heat, and GenAI will sharpen phishing and disinformation. IABs, EOL gear, and supply chain vendors will stay targets, but phishing failures dipped to 9.3%—a spark of hope. The city’s battered, but it’s learning: patch fast, watch the edges, and brace for the storm, with NIS2 lighting a path in EMEA.

Key Takeaways for Vendor Risks, Third-Party Cyber Risks, and Global Supply

  1. Ransomware Rampage: LockBit, ALPHV, and RansomHub raked in $75M and $22M, with an 87% industrial spike—patch, segment, and prep for 2025’s surge.
  2. Infostealer Surge: Lumma fueled Snowflake’s 165-org breach—lock creds with MFA and monitor leaks.
  3. Edge Device Exposure: Ivanti and Palo Alto zero-days built Raptor Train’s 200,000 bots—update edges fast or lose the line.
  4. Cloud Collapse: Misconfigs and stolen keys hit AWS and Azure—tighten APIs, enforce MFA, and go zero trust.
  5. BEC Brilliance: Fake emails and vishing bled funds—train staff and boost DMARC.
  6. Tool Treachery: AnyDesk and ScreenConnect turned rogue—watch tools and restrict access.
  7. OT/ICS Outages: AcidPour and CVE-2024-3400 dimmed grids—segment IT/OT and patch smart.
  8. Network Appliance Nightmares: Citrix, Fortinet, and PAN-OS flaws opened doors—ditch defaults and patch relentlessly.
  9. Insider Infamy: FAMOUS CHOLLIMA nabbed IP—vet, track, and secure insiders.
  10. Phishing Prowess: 71% fell to AI lures, driving 14% of breaches—educate and deploy phishing-resistant MFA.
  11. Supply Chain Shocks: MSPs and PyPI’s 500+ fakes got hit—vet vendors and monitor third parties.
  12. Third-Party Traps: Weak SSO and logging leaked access—build robust vendor programs and visibility.
  13. Vuln Velocity: Over 250 high-severity bugs, 23% of intrusions from public apps, hit within 2 days—patch fast or pay.
  14. Zero-Day Zingers: CVE-2024-24919 and 21287 stung edges—harden perimeters and brace for more.
  15. 2024’s Big Blows: Cloudflare DDoS, Change Healthcare, and IRS scams showed scale—every flaw’s a target.
  16. 2025’s Forecast: RansomHub, GenAI phishing, and SaaS hits loom, but 9.3% phishing fails and NIS2 signal resilience—stay sharp.