Supply chain cyberattacks have surged in frequency and impact, exposing a fundamental weakness in how organizations rely on third-party software and vendors. Modern enterprises depend on a vast ecosystem of suppliers, cloud services, open-source components, and managed service providers – and adversaries are increasingly exploiting these trust relationships as a way in. In fact, Gartner predicts that by 2025 nearly 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
Industry surveys already show that between 39% and 62% of companies have suffered a cybersecurity incident because of a third-party provider. This trend has catapulted supply chain threats to the forefront of security planning; the EU’s cybersecurity agency ENISA notes that supply chain attacks are “increasing significantly” and that threat groups are actively targeting suppliers and managed service providers (MSPs) as a means to infiltrate higher-profile targets.
High-profile breaches underscore how one compromised supplier can translate into thousands of victim organizations downstream. Unlike direct attacks, supply chain intrusions expand the scope beyond an organization’s direct control – any software update, cloud platform, or vendor with access could become an entry point.
Defenders not only have to secure their own environment, but must also account for the security of every third-party component in their operations. The sprawling digital interconnections of modern business mean the attack surface now extends well outside the traditional network perimeter. The following recent attacks from 2023–2024 show us the stakes and offer valuable lessons for securing the supply chain.
Recent Supply Chain Attacks (2020-2024): Lessons Learnt
The past few years have seen a sharp rise in sophisticated supply chain cyberattacks, exposing critical weaknesses in the software and vendor ecosystems that organizations rely on. Below is an overview of some of the most significant incidents and the key lessons they teach us.
SolarWinds Orion Breach: A Wake-Up Call
The SolarWinds attack, discovered in late 2020, remains a defining example of a software supply chain compromise. Attackers inserted malware into a routine Orion software update, affecting over 18,000 customers, including U.S. government agencies and major corporations. The malware (SUNBURST) gave adversaries covert access to internal systems.
Key Lesson: Trust alone is not enough. Organizations must implement secure software build practices, including digital code signing, tamper-evident builds, and pre-deployment testing in isolated environments. The SolarWinds case cemented the need for zero-trust principles and continuous monitoring of software suppliers.
MOVEit Breach: Mass Exploitation via Zero-Day
In 2023, a zero-day SQL injection vulnerability in Progress Software’s MOVEit Transfer solution was exploited by the Clop ransomware group. The flaw allowed attackers to steal sensitive data from thousands of organizations globally. The impact was enormous, affecting over 2,700 organizations and 95 million individuals.
Key Lesson: Critical third-party tools should be treated as part of your own attack surface. Rapid patching, vendor communication, and full visibility into where such software is deployed are essential. Incident response plans must account for zero-days in third-party systems.
3CX Double Compromise: A Chained Supply Chain Attack
The 3CX compromise in 2023 took supply chain attacks to a new level. Attackers first infected a third-party software (X_TRADER by Trading Technologies), which was then unknowingly installed by a 3CX employee. This gave attackers access to 3CX’s development environment, enabling them to trojanize the 3CX Desktop App and distribute malware to customers.
Key Lesson: The security of your suppliers’ suppliers also matters. Nested compromises demand robust security hygiene across the entire vendor ecosystem. Defenses such as multi-factor authentication, strict code-signing policies, and anomaly detection can reduce exposure to such cascading attacks.
Other Notable Incidents and Emerging Patterns
Beyond these headline cases, other incidents have highlighted systemic vulnerabilities:
- Kaseya VSA (2021): A zero-day exploit in MSP management software led to ransomware deployment across hundreds of customer networks.
- Dependency Confusion Attacks: Demonstrated by researcher Alex Birsan, these attacks exploit public package repositories like npm or PyPI by injecting malicious libraries with the same names as internal dependencies.
- Mimecast Certificate Breach (2021): Stolen certificates were used to intercept Microsoft 365 traffic.
- Magecart Attacks: These groups continue to compromise third-party payment scripts to skim credit card data (e.g., British Airways breach).
Common Techniques Observed:
- Trojanized software builds and installers.
- Exploitation of zero-day vulnerabilities.
- Hijacking digital certificates and update servers.
- Abuse of privileged access tools (e.g., MSP software).
- Misconfigured public-facing services and APIs.
Key Lesson: Supply chain security must involve rigorous vetting, integrity verification, and proactive vulnerability management. Many victims were compromised through blind spots — services or credentials they didn’t realize were vulnerable or implicitly trusted without validation.
Techniques and Vulnerabilities in Supply Chain Breaches
As attackers evolve, new patterns in supply chain compromises have emerged—often exploiting trust, visibility gaps, and weak third-party controls. Here’s a breakdown of the most prevalent techniques and vulnerabilities observed in recent attacks.
1. Trojanized Software Updates and Compromised Build Pipelines
Incidents like SolarWinds and 3CX demonstrate how attackers are infiltrating software development pipelines or update servers to inject malware before code is signed and deployed. These “upstream” compromises allow malicious code to be delivered to thousands of organizations via legitimate software updates.
Mitigation Priorities:
- Implement DevSecOps for secure development.
- Use code-signing verification.
- Continuously monitor software integrity post-deployment.
2. Exploiting High-Impact Software Vulnerabilities
The MOVEit breach and Log4j (Log4Shell) exploit showed how a single vulnerability in a widely used component can open the door to mass exploitation. These flaws are often found in public-facing applications, APIs, or authentication systems (e.g., Atlassian’s SSO flaw).
Mitigation Priorities:
- Prioritize rapid patch management.
- Apply virtual patching (e.g., WAFs) for internet-exposed apps.
- Monitor all third-party software components for known issues.
3. Targeting Managed Service Providers (MSPs) and Integrators
Threat actors increasingly compromise MSPs, cloud providers, or IT contractors with access to multiple clients—a method known as island hopping. Attacks on Kaseya and an Okta subcontractor highlight how a single breach can cascade across many organizations.
Mitigation Priorities:
- Implement network segmentation for vendor access.
- Monitor remote sessions and privileged tools.
- Enforce least-privilege access policies.
4. Malicious Open-Source Components and Dependency Attacks
Attackers are exploiting the trust in public repositories by uploading malicious packages, taking over abandoned projects, or using dependency confusion to trick internal systems into downloading compromised code.
Mitigation Priorities:
- Maintain a vetted internal artifact repository.
- Lock dependencies to specific, verified versions.
- Use Software Composition Analysis (SCA) tools and generate SBOMs for full visibility.
5. Credential Theft and Legitimate Access Abuse
Not all attacks rely on malware. Many breaches are caused by stolen credentials or misused legitimate access—as in the Target breach (2013) or credential phishing campaigns targeting IT support firms.
Mitigation Priorities:
- Enforce Multi-Factor Authentication (MFA)
- Apply just-in-time and least-privilege access.
- Continuously audit and monitor third-party logins, API keys, and access patterns.
Why Attack Surface Management and Third-Party Risk Visibility Are Essential
As supply chain threats grow more sophisticated, organizations can no longer afford to take a reactive stance. Instead, they must adopt a proactive, comprehensive view of their external exposure and vendor ecosystem. Two practices are especially critical in this shift: Attack Surface Management (ASM) and Third-Party Risk Visibility.
Understanding the Modern Attack Surface
Attack Surface Management refers to the continuous discovery, inventory, and monitoring of all internet-facing IT assets—especially those that may be unknown to the internal security team. This includes legacy servers, exposed cloud storage buckets, forgotten subdomains, and temporary testing environments that were never decommissioned.
One of the clearest lessons from recent breaches is this: you can’t protect what you don’t know exists. Studies reinforce this point—Palo Alto Networks reported that 70% of organizations had experienced cyberattacks originating from unknown or unmanaged external-facing assets. Similarly, MIT Technology Review found that 50% of companies had been attacked via shadow IT, with an additional 19% expecting such an incident.
Rethinking Third-Party Risk
Managing third-party risk goes far beyond security questionnaires and contractual clauses. Today’s supply chain compromises demand real-time insight into the security posture of vendors, partners, and service providers. This includes knowing which third-party tools are in use across the environment, what level of access each partner has, and whether those partners are following best security practices.
The urgency is clear. In 2023, 61% of companies reported a security incident stemming from a third-party breach—a record high, and triple the number seen in 2021. These incidents weren’t limited to obscure vendors. Identity providers, password managers, cloud integrators, and IT management tools all became entry points for widespread compromise, impacting millions of users.
Point-in-time assessments can’t keep up with this dynamic threat landscape. They often miss critical changes—like a misconfigured database, a newly discovered vulnerability, or an unpatched server within a vendor’s infrastructure. Without continuous visibility, organizations remain blind to evolving third-party risks.
Building a Proactive Defense
Attack Surface Management and Third-Party Risk Visibility are two sides of the same coin. ASM helps identify unknown exposures within your own infrastructure, while third-party oversight extends that visibility across your supplier ecosystem. Together, they provide a complete, outside-in understanding of your organization’s risk landscape.
When implemented properly, these practices allow security teams to detect vulnerabilities early, reduce the attack surface, and respond quickly before an issue escalates into a breach. In a world where digital relationships are expanding rapidly—and every integration could be a potential entry point—these capabilities are no longer optional. They are foundational to any modern security strategy.
How Cortex Xpanse Helps Reduce Supply Chain Risk?
To effectively manage a growing attack surface and the evolving risks associated with third-party vendors, organizations are increasingly adopting advanced security solutions like Palo Alto Networks Cortex Xpanse. This platform offers a comprehensive approach to Attack Surface Management (ASM) by emulating the perspective of an external attacker, providing unparalleled visibility into both known and unknown exposures.
Continuous External Discovery and Visibility
Cortex Xpanse functions as a real-time, external scanner of an enterprise’s internet-facing infrastructure. It continuously scans the entire IPv4 space and other global internet namespaces to identify all assets that belong to an organization—including those that internal teams may not be aware of. This includes servers, cloud instances, IoT devices, domains, and databases.
Using machine learning and intelligent attribution, Xpanse links discovered assets to their rightful owners. This means even forgotten systems, like a misconfigured server from a legacy project or a subdomain inherited during an acquisition, can be surfaced and assessed.
Once assets are identified, the platform conducts risk analysis by scanning for common exposures—open RDP ports, unsecured databases, outdated certificates, default credentials, and other misconfigurations. It doesn’t just generate a static inventory; it actively monitors changes and alerts security teams as new risks emerge.
A Critical Tool for Supply Chain Security
One of Cortex Xpanse’s key advantages is its utility beyond just first-party environments. Its “Link” capability allows organizations to extend visibility into third-party infrastructure. With appropriate scoping and permissions, it can monitor critical suppliers’ internet-facing systems for potential exposures or suspicious configurations.
This is particularly powerful when traditional third-party risk assessments fall short. Instead of relying solely on vendor-reported data or periodic audits, organizations gain an objective, continuous view of external risks affecting their partners. For example, if a software vendor exposes an administrative portal or forgets to patch a known flaw, Xpanse will detect that exposure and allow for early intervention—before attackers can exploit it.
Automation, Prioritization, and Integration
Cortex Xpanse not only identifies risks, but also prioritizes them using a scoring system based on severity and potential business impact. This prioritization feeds into automated workflows and integrates seamlessly with existing security operations infrastructure—such as SIEMs, ticketing systems, and SOAR platforms.
By automating the discovery, classification, and triage of internet-facing exposures, Xpanse allows security teams to focus their energy on mitigation rather than manual detection. This capability is especially important in the context of fast-moving supply chain threats, where timing is everything. The sooner a weakness is detected, the higher the chances it can be resolved before an adversary takes advantage of it.
A Proactive Defense Aligned with Modern Threats
In today’s distributed and cloud-driven IT landscape, an organization’s digital footprint is constantly shifting. Cortex Xpanse is designed to keep pace with this evolution by offering real-time visibility, automated detection, and proactive threat intelligence. It acts as a sentry on the perimeter—always scanning, always updating, and always feeding critical insights into your defense strategy.
This kind of continuous, outside-in monitoring isn’t just helpful—it’s becoming essential. As attackers increasingly exploit unknown or third-party exposures, tools like Xpanse provide the proactive defense posture needed to detect and close security gaps before they can be weaponized
How Secure IT Consult Integrates Cortex Xpanse for Supply Chain Security
At Secure IT Consult (SITC), we understand that modern supply chain threats require proactive and real-time visibility into both known and unknown exposures.
That’s why we’ve integrated Palo Alto Networks Cortex Xpanse into our managed services—offering clients a robust Attack Surface Management (ASM) solution that continuously monitors not only their digital assets but also their third-party ecosystem.
Continuous Discovery and Real-Time Monitoring
SITC configures Cortex Xpanse to automatically scan and map all client-associated assets—across on-premises infrastructure, cloud services, and even partner networks. This creates a dynamic, real-time inventory of internet-facing systems, which is continuously monitored for changes and new exposures.
For instance, if a developer launches an untracked cloud instance or if a newly disclosed vulnerability affects a visible asset, Xpanse identifies it immediately. SITC’s security team receives instant alerts and acts quickly to investigate, patch, or remove the risk—often within hours of its appearance.
Accelerated Response Through Intelligent Automation
One of the platform’s key advantages is proactive alerting. Cortex Xpanse flags high-risk issues—such as open ports, exposed databases, or indicators of compromise—which are then escalated directly to SITC’s Security Operations Center (SOC). This reduces the mean time to detect and remediate security gaps, closing exploitable windows before attackers can act.
SITC integrates Xpanse findings into our broader SIEM/XDR workflows, combining external visibility with internal telemetry and threat intelligence. This layered detection approach enables us to correlate anomalies—such as an exposed system suddenly receiving suspicious traffic—and respond accordingly.
Enhancing Third-Party Risk Management
SITC also uses Cortex Xpanse to enhance third-party risk processes. We conduct real-time external scans of vendors’ digital footprints (within ethical and legal bounds) to spot misconfigurations or vulnerabilities, such as outdated VPN portals or unsecured cloud services.
During onboarding and periodic reviews, this data feeds into vendor assessments, providing clients with evidence-based insights rather than relying solely on self-reported checklists. For critical suppliers, we offer continuous monitoring of their external attack surfaces, alerting clients to risks before they escalate.
Delivering End-to-End Visibility and Protection
By combining Cortex Xpanse’s automated discovery with SITC’s expert management and threat response, our clients gain full-spectrum visibility across their attack surface—internally and across the supply chain. We serve as an extension of your security team, handling everything from asset identification to risk remediation, so your organization can stay secure without managing the complexity in-house.
Key benefits include:
- Real-time detection of unknown and unauthorized assets
- Continuous monitoring of both internal and vendor exposures
- Integration into existing SIEM and incident response workflows
- Expert triage, investigation, and remediation support
To Conclude
The message from recent cyberattacks is clear: supply chain security is no longer optional—it’s essential. Today’s attackers exploit hidden vulnerabilities in trusted connections, from third-party software to forgotten cloud assets. To stay secure, organizations must recognize that their cybersecurity posture is only as strong as that of their vendors and partners.
Secure IT Consult (SITC) helps you meet this challenge head-on. By integrating Palo Alto Networks Cortex Xpanse into our managed security services, we deliver continuous visibility, real-time risk detection, and expert response across your full digital ecosystem. From unknown assets to third-party exposures, SITC identifies and mitigates threats before attackers can strike.
Now is the time to act—don’t wait for a breach to expose the gaps. Whether you need a targeted supply chain risk assessment or a fully managed security program, SITC is ready to help.