#thirdpartyrisk — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #thirdpartyrisk, aggregated by home.social.
-
Third-party breach, 38M impacted, European e-commerce sector.
ManoMano disclosed unauthorized access linked to a subcontracted customer support provider. Exposed data reportedly includes PII and support communications.
Authorities notified: CNIL, ANSSI.
Passwords not reportedly accessed.
Subcontractor access revoked.Key risk vectors:
– SaaS support platforms
– Vendor access governance
– Over-retention of ticketing data
– Centralized customer communication logs
– Supply chain attack surface expansionThis case reinforces that vendor monitoring must go beyond contractual clauses — continuous assessment, least privilege enforcement, data minimization strategies.
How mature is your third-party risk telemetry?
Engage below.Follow @technadu for high-signal infosec reporting.
Repost to amplify awareness across the security community.
#Infosec #ThirdPartyRisk #VendorSecurity #SupplyChainSecurity #DataBreach #GDPRCompliance #EcommerceSecurity #CyberRiskManagement #SecurityOperations #GRC
-
An alleged ransomware incident involving Apple partner Luxshare highlights ongoing supply-chain exposure risks.
RansomHub claims access to internal engineering data, though details remain unverified and no confirmation has been issued by the company.
The case reinforces the importance of third-party risk management, incident verification, and measured public communication.
Follow TechNadu for factual, non-speculative cybersecurity reporting.
#Infosec #Ransomware #SupplyChainSecurity #ThirdPartyRisk #CyberSecurity #TechNadu
-
ESA is assessing claims of a data exposure involving hundreds of gigabytes of internal and contractor-linked information, following a prior incident disclosed weeks earlier.
Alleged data types include operational procedures, satellite system documentation, and third-party materials - highlighting challenges around:
Long-term identity and access management
Vendor and contractor trust boundaries
Monitoring across complex, distributed environmentsThis case reinforces the importance of continuous risk assessment and defense-in-depth, especially for organizations supporting critical infrastructure and research missions.
What defensive control would you prioritize in environments like this?
Source: https://www.theregister.com/2026/01/07/european_space_agency_breach_criminal_probe/
Engage in the discussion and follow TechNadu for objective InfoSec reporting.
#InfoSec #CyberDefense #ThirdPartyRisk #CriticalInfrastructure #SecurityOperations #TechNadu
-
What’s one game-changing shift you made in vendor management that others could learn from? Share it below—your insight might be the spark another leader needs. #VendorManagement #DigitalTransformationLeadership #TechLeadership #CIOPriorities #StrategicPartnerships #TechnologyPartnerships #ITOperatingModel #EmergingTechnologyStrategy #DataDrivenIT #StrategicSourcing #TechLeadership #InnovationEcosystem #ThirdPartyRisk #ITGovernance #MultiCloudStrategy #ITStrategy #ITLeadership #SaaSManagement #SmartVendorManagement #TrustBasedLeadership #TransformationExecution #VendorManagement #DigitalTransformationLeadership #CIOPriorities #TechnologyPartnerships #ITOperatingModel #StrategicSourcing #EmergingTechnologyStrategy #TechLeadership #DataDrivenIT #InnovationEcosystem #ITStrategy
https://medium.com/@sanjay.mohindroo66/vendor-management-in-it-building-stronger-partnerships-8885fe29c8ee -
Chess[.]com Announces Data Breach Via Third-Party App https://dailydarkweb.net/chess-com-announces-data-breach-via-third-party-app/ #thirdpartyrisk #CyberSecurity #DataBreaches #cyberattack #databreach #Chesscom #PII
-
🎯 NOW PUBLISHING: On-Location Coverage from #BlackHat USA 2025!
We're back in the office and excited to start sharing all the conversations we captured on location in Las Vegas with our amazing sponsors and editorial coverage!
🔔 Follow ITSPmagazine, Sean Martin, CISSP, and Marco Ciappelli to get this content fresh as it drops!
We're thrilled to share this critical Brand Story conversation thanks to our friends at ReversingLabs 🙏
Your Business Apps Are Bringing Friends You Didn't Invite
Every commercial software application is a complex assembly of first-party, contracted, open source, and third-party code. But when #SolarWinds, #Kaseya, and #Ivanti happened, we learned that vendor questionnaires and contractual assurances offer little protection against supply chain compromises.
At #BlackHat2025, Saša Zdjelar, Chief Trust Officer at ReversingLabs, reveals how organizations can finally verify the integrity of #software from outside vendors—without relying on blind trust.
The game-changer: Comprehensive binary analysis that deconstructs any file into its components to:
• Detect malware, tampering, and embedded secrets
• Identify #vulnerabilities and insecure practices
• Uncover undocumented network connections
• Flag #compliance risks from restricted regions
This isn't just another policy checkbox—it's a true technical control that inspects the software itself, regardless of size or complexity.
Real-world applications:
• Procurement: Auto-scan all software before deployment
• Version Monitoring: Detect unexpected behavior changes between releases
• Critical Environments: Verify integrity before software enters OT, ICS, or financial systems
• Risk Management: Assess COTS software as part of ongoing vendor reviews
With regulations like EO 14028 and the EU's #CyberResilience Act demanding transparency, the ability to technically validate every application delivers both strategic protection and measurable benefits.
📺 Watch the video: https://youtu.be/pU9bHYFND7c
➤ Learn more about ReversingLabs: https://itspm.ag/reversinglabs-v57b
✦ Catch more stories from #ReversingLabs: https://www.itspmagazine.com/directory/reversinglabs
🎪 Follow all of our #BHUSA 2025 coverage: https://www.itspmagazine.com/bhusa25
#Cybersecurity #SupplyChainSecurity #SoftwareIntegrity #BlackHatUSA #BHUSA25 #ThirdPartyRisk #SBOM #BinaryAnalysis #Compliance #ZeroTrust
-
I find the ShinyHunters (UNC6040/UNC6240) Salesforce Campaign really interesting, because it highlights the impact of two key threat vectors/types that - in my conversations , at least - aren't being accounted for by traditional TI teams.
1. Data Theft & Extorsion Actors
2. Actors capitalising on 3rd Party Platform ApplicationsCurious to know - do your orgs track and threat model opportunistic Data Theft and Extorsion Actors, or just focus on the APTs and ransomware groups of the world?
The largest ransom payment in history was $75 million to the Dark Angels Ransomware group in 2024, purportedly by pharma giant Cencora. With 27TB of corporate data stolen from the org and no mention of ransomware being deployed, the eye-watering payment was to prevent leaking/sale of the stolen data which included customer "names, addresses, dates of birth, diagnoses, prescriptions and medications."
The group weren't well known prior to the attack, and the absence of ransomware being deployed highlights the need to prioritise the identification and protection of sensitive data and customer PII - agnostic of whatever group might seek to target it.
Also, we're all aware of Malicious OAuth applications in o365, but are your orgs aware of; monitoring, and locking down 3rd party platform integrations?
For those unaware of the campaign, here's the AI-generated TLDR of a Google report in the activity: Https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Threat Summary: UNC6040/ShinyHunters Voice Phishing and Data Extortion Campaign
Key Points & Technical Summary:
A financially motivated threat cluster, tracked by Google as UNC6040, has been conducting a widespread campaign targeting organizations' Salesforce CRM instances. The campaign's primary objective is large-scale data theft for the purpose of extortion, which is carried out by a related cluster, UNC6240. This group often uses the moniker ShinyHunters in their communications with victims.
The core of the attack vector is a sophisticated voice phishing (vishing) campaign. The threat actors impersonate corporate IT support personnel in phone calls to employees of the targeted organization.
The primary technical steps of the attack are as follows:
* Social Engineering: The actor guides the targeted employee to Salesforce's connected app setup page.
* Malicious App Authorization: The employee is convinced to authorize a malicious version of the "Data Loader" application. This is done by having the employee enter a connection code provided by the attacker, which links the attacker-controlled application to the victim's Salesforce environment.
* Data Exfiltration: Once the malicious app is authorized, UNC6040 gains significant API access, allowing them to query and exfiltrate sensitive data from the Salesforce instance. While initially leveraging modified versions of the Salesforce Data Loader, the group has evolved its tooling to include custom Python-based scripts for data extraction.
* Anonymization: The attackers utilize services like Mullvad VPN and TOR exit nodes to initiate the vishing calls and for data exfiltration, complicating attribution and tracking efforts.
* Extortion: Following the data theft, UNC6240 initiates contact with the victim organization, demanding a ransom payment in Bitcoin, typically within a 72-hour timeframe, to prevent the public release of the stolen data. The group is also reportedly preparing to launch a dedicated data leak site to increase pressure on victims.Additional Context & Related Activity
Activity Cluster:
The activity is attributed to the cluster pair UNC6040 (initial access and data theft) and UNC6240 (extortion). This group leverages the reputation of the well-known ShinyHunters extortion group to intimidate victims. The cluster is financially motivated and has demonstrated a growing sophistication in its social engineering tactics and technical tooling.
Other Compromises & Targets:
This campaign has impacted numerous high-profile organizations across various sectors. Besides Google, other publicly confirmed victims of this campaign include:
* Cisco
* Chanel
* AdidasThe targeting appears to be opportunistic, focusing on multinational corporations that are heavy users of Salesforce CRM. There has been an initial focus on English-speaking employees.
Techniques & TTPs:
Beyond the core vishing-to-malicious-app-authorization chain, other observed Tactics, Techniques, and Procedures (TTPs) include:
* Credential Targeting: In some cases, the actors have targeted Okta credentials, likely obtained through prior infostealer malware infections or separate phishing campaigns.
* Lateral Movement: Using compromised credentials, the actors have been observed moving laterally within victim networks to access and exfiltrate data from other systems, including Microsoft 365.
* Reconnaissance: The group conducts thorough reconnaissance to craft convincing narratives, identifying internal application names and IT support procedures to make their vishing calls more credible.Timeline:
* June 4, 2025: Google's Threat Intelligence Group (GTIG) first publishes a warning about the rise in vishing and extortion activity targeting Salesforce customers, designating the threat actor as UNC6040.
* June 2025: Google becomes a victim of the same campaign, with one of its own corporate Salesforce instances being breached. The compromised data was related to small and medium-sized business contacts.
* July 24, 2025: Cisco identifies a similar breach of its CRM system resulting from a vishing attack.
* Early August 2025: Google, Cisco, and other victims publicly disclose the breaches. Google updates its original blog post to include the fact that it was also a victim. Extortion demands from UNC6240/ShinyHunters follow these disclosures.#CyberSecurity #ThreatIntelligence #ShinyHunters #DataExtortion #SalesforceSecurity #Vishing #ThirdPartyRisk #ThreatModeling #IncidentResponse #UNC6040 #UNC6240 #Ransomware #Salesforce #InformationSecurity #Infosec #Cybersec #ThreatIntel
#Cisco #Google #CyberAttack -
SOC 2 isn’t broken—but your expectations may be.
We’re hosting a live panel on what comes next: real risk reduction, stronger vendor trust, and why HITRUST may be the better path.
July 31st | Register: https://www.crowdcast.io/c/beyond-the-checkbox-rethinking-soc-2-cybersecurity-and-third-party-risk-in-2025-an-itspmagazine-webinar-with-hitrust
-
Today’s risks don’t sit in silos - so why is your risk management strategy still acting like they do?
From AI and cyber threats to third-party dependencies and cloud misconfigurations, risks in 2025 are interconnected, fast-moving, and deeply complex.
Yet too many organisations still treat them like isolated events. That’s not just outdated - it’s dangerous.
In our latest post, we explore:
👽 Why modelling risk relationships matters more than ever
👽 How scenario planning is evolving with AI and quantum-powered analytics
👽 The shift from compliance to strategic risk management
👽 And how advanced GRC platforms and third-party risk tools are transforming ERM into a true business enablerWhether you're building resilience or unlocking opportunity, risk strategy in 2025 must be integrated, contextual, and forward-looking.
Ready to upgrade your enterprise risk posture?
Read the full post here: https://paulreynolds.uk/top-enterprise-risk-management-trends/ or get in touch for support on ISO 27001, cyber assessments, and GRC frameworks that actually work.
#ERM #CyberSecurity #RiskManagement #GRC #AI #ISO27001 #ThirdPartyRisk #ProtectWhatMatters
-
Today’s risks don’t sit in silos - so why is your risk management strategy still acting like they do?
From AI and cyber threats to third-party dependencies and cloud misconfigurations, risks in 2025 are interconnected, fast-moving, and deeply complex.
Yet too many organisations still treat them like isolated events. That’s not just outdated - it’s dangerous.
In our latest post, we explore:
👽 Why modelling risk relationships matters more than ever
👽 How scenario planning is evolving with AI and quantum-powered analytics
👽 The shift from compliance to strategic risk management
👽 And how advanced GRC platforms and third-party risk tools are transforming ERM into a true business enablerWhether you're building resilience or unlocking opportunity, risk strategy in 2025 must be integrated, contextual, and forward-looking.
Ready to upgrade your enterprise risk posture?
Read the full post here: https://paulreynolds.uk/top-enterprise-risk-management-trends/ or get in touch for support on ISO 27001, cyber assessments, and GRC frameworks that actually work.
#ERM #CyberSecurity #RiskManagement #GRC #AI #ISO27001 #ThirdPartyRisk #ProtectWhatMatters
-
Today’s risks don’t sit in silos - so why is your risk management strategy still acting like they do?
From AI and cyber threats to third-party dependencies and cloud misconfigurations, risks in 2025 are interconnected, fast-moving, and deeply complex.
Yet too many organisations still treat them like isolated events. That’s not just outdated - it’s dangerous.
In our latest post, we explore:
👽 Why modelling risk relationships matters more than ever
👽 How scenario planning is evolving with AI and quantum-powered analytics
👽 The shift from compliance to strategic risk management
👽 And how advanced GRC platforms and third-party risk tools are transforming ERM into a true business enablerWhether you're building resilience or unlocking opportunity, risk strategy in 2025 must be integrated, contextual, and forward-looking.
Ready to upgrade your enterprise risk posture?
Read the full post here: https://paulreynolds.uk/top-enterprise-risk-management-trends/ or get in touch for support on ISO 27001, cyber assessments, and GRC frameworks that actually work.
#ERM #CyberSecurity #RiskManagement #GRC #AI #ISO27001 #ThirdPartyRisk #ProtectWhatMatters
-
Today’s risks don’t sit in silos - so why is your risk management strategy still acting like they do?
From AI and cyber threats to third-party dependencies and cloud misconfigurations, risks in 2025 are interconnected, fast-moving, and deeply complex.
Yet too many organisations still treat them like isolated events. That’s not just outdated - it’s dangerous.
In our latest post, we explore:
👽 Why modelling risk relationships matters more than ever
👽 How scenario planning is evolving with AI and quantum-powered analytics
👽 The shift from compliance to strategic risk management
👽 And how advanced GRC platforms and third-party risk tools are transforming ERM into a true business enablerWhether you're building resilience or unlocking opportunity, risk strategy in 2025 must be integrated, contextual, and forward-looking.
Ready to upgrade your enterprise risk posture?
Read the full post here: https://paulreynolds.uk/top-enterprise-risk-management-trends/ or get in touch for support on ISO 27001, cyber assessments, and GRC frameworks that actually work.
#ERM #CyberSecurity #RiskManagement #GRC #AI #ISO27001 #ThirdPartyRisk #ProtectWhatMatters
-
Supply Chain Attacks Becoming a Near-Daily Occurrence: Cyble Research https://thecyberexpress.com/supply-chain-attacks-now-common-cyble-research/ #ThirdPartyRiskManagement #SupplyChainCyberattacks #ThreatIntelligenceNews #TheCyberExpressNews #ThreatIntelligence #Supplychainattacks #thirdpartysecurity #CybersecurityNews #TheCyberExpress #ThirdPartyRisk #FirewallDaily #CybleBlogs #supply #cyble
-
To my great shame, I realized that it's been over a year since I wrote a new blog post for Cyentia Institute. I've written for several reports in that time span, of course, but that's no excuse for neglecting to distill and share interesting bits from that research on our blog. I'm going to try to be better about that, starting with this short piece based on recent work analyzing the digital supply chains of 230,000 orgs.
https://www.cyentia.com/supply-chain-multiplicity/
#supplychainsecurity #supplychainrisk #supplychainresilience #thirdpartyrisk #thirdpartyriskmanagement #attacksurfacemanagement
-
NCUA Chairman Todd M. Harper Remarks at the 2023 Governmental Affairs Conference, National Credit Union Administration, February 27, 2023
— Available here: https://ncua.gov/newsroom/speech/2023/ncua-chairman-todd-m-harper-remarks-2023-governmental-affairs-conference
#fintech #banking #financialservices #payments #digitalfinance #digitalpayments #regulation #supervision #prudentialregulation #riskmanagement #operationalrisk #operationalresilience #thirdpartyrisk #cyberrisk #cybersecurity #consumerprotection #financialinnovation #NCUA #creditunions
-
NCUA Chairman Todd M. Harper Remarks at the 2023 Governmental Affairs Conference, National Credit Union Administration, February 27, 2023
— Available here: https://ncua.gov/newsroom/speech/2023/ncua-chairman-todd-m-harper-remarks-2023-governmental-affairs-conference
#fintech #banking #financialservices #payments #digitalfinance #digitalpayments #regulation #supervision #prudentialregulation #riskmanagement #operationalrisk #operationalresilience #thirdpartyrisk #cyberrisk #cybersecurity #consumerprotection #financialinnovation #NCUA #creditunions
-
NCUA Chairman Todd M. Harper Remarks at the 2023 Governmental Affairs Conference, National Credit Union Administration, February 27, 2023
— Available here: https://ncua.gov/newsroom/speech/2023/ncua-chairman-todd-m-harper-remarks-2023-governmental-affairs-conference
#fintech #banking #financialservices #payments #digitalfinance #digitalpayments #regulation #supervision #prudentialregulation #riskmanagement #operationalrisk #operationalresilience #thirdpartyrisk #cyberrisk #cybersecurity #consumerprotection #financialinnovation #NCUA #creditunions