How Cybercriminals Stay Ahead and How We Catch Them by Tracking Their Digital Footprint

In a Q&A with TechNadu, Black Kite’s Chief Research and Intelligence Officer, Ferhat Dikbiyik, details the risks to financial services associated with vendors. He explains why financial organizations where over 90% of vendors scored poorly in disclosure posture need continuous, exploitation-driven monitoring instead of static risk scans. 

From unpatched VPNs to legacy systems quietly fueling access marketplaces, he elaborates on how attackers move through supply chains, sector-specific threat patterns in finance, healthcare, and energy, and the external signals that reveal live ransomware staging before internal telemetry does.

Not just that. Attackers are documenting well-known vulnerabilities and building campaigns around them to exploit these weaknesses on a large scale. Read the full interview to gain insights about a sector-wise breakdown of how cybercriminals choose initial access points, and who should be careful of their tactics. 

That’s not all! We have explanations on high-confidence external signals like leaked credentials tied to corporate domains, and exploitation of known vulnerabilities that reveal not just exposure details but also the attacker’s intent.

Vishwa: Financial organizations are under intense pressure to secure both direct assets and the extended supply chain. What’s one actionable metric or visibility layer to quantify and mitigate vendor risk at scale, especially considering that over 90 percent of financial vendors scored C or worse in disclosure posture in your 2025 financial services research? Are external threat intelligence tied to CVEs, patch latency, and continuous risk trending more effective than point-in-time scans?

Ferhat: Financial institutions surely need to know who their vendors are. But beyond that, they need to know how risky those vendors are right now.

Your systems might be secure on Monday and fully compromised by Tuesday, because of a vulnerability that showed up overnight and was exploited within hours. That’s the pace we’re dealing with.

And that’s exactly why point-in-time scans fall short. They don’t catch what changed yesterday, let alone what’s emerging today.

What works instead? Continuous visibility tied to real-world exploitation likelihood. 

That means tracking vulnerabilities as they’re weaponized, monitoring patch latency across your vendors, and identifying patterns. It is like repeated exposures or alignment with active threat groups.

In our research group (Black Kite Research), we focus on trending risk, not static scores. Because in this environment, there’s only one metric that matters: how current your visibility is. 

That’s what lets you patch the right systems, alert your vendors, and shut down the attack path before it spreads.

Vishwa: Your data shows that 65 percent of vendors are behind on patching. What specific types of technologies or systems are most commonly lagging? How are attackers using that to their advantage? How should defenders be tackling these issues more effectively?

Ferhat: Patch management is where most companies struggle and where attackers find the easiest way in. Out of 140 vendors assessed in the financial sector alone, 75 had vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, and 16 high-profile CVEs were identified with a high likelihood of exploitation.

The most common repeat offenders? Outdated web servers, exposed RDP services, legacy VPN appliances, and vulnerable CMS platforms. These are not obscure systems. They’re essential tools left unpatched and exposed.

Attackers know this. They build campaigns around well-documented vulnerabilities, using automation to find and exploit them at scale. Ransomware groups like Clop didn’t need 10 entry points. Just one. And it worked.

The fix isn’t “patch everything.” That’s impossible. Security teams should focus on patching based on exploitability, exposure, and operational impact. Target the vulnerabilities tied to PoCs and ransomware campaigns. Flag vendors with repeat offenses. And above all, keep visibility continuous, not periodic.

Because in this threat environment, attackers aren’t getting smarter. They’re just getting faster at finding the gaps we already know about.

Vishwa: Third-party compromise usually starts with targeting the most accessible vendor first. How do attackers assess external exposure points across a supply chain, and what makes those decisions hard to model or detect from outside? Once inside, what makes it easier for threat actors to move laterally from one vendor to the next?

Ferhat: Attackers use internet-wide scanners and open-source intelligence techniques to map the exposed services across a vendor ecosystem. With today’s GenAI-powered search tools, it’s easier than ever to map out a vendor’s client base with the deep search capabilities of these tools. 

The attackers look for low-hanging fruit: unpatched VPNs, RDP, forgotten subdomains, etc. From the outside, it is hard to model this because not all exposures are equal. A small payroll provider with an open S3 bucket might pose more risk than a tier-one vendor with proper segmentation. 

This necessitates visibility into a larger vendor set, which, in turn, increases the complexity of vendor monitoring and introduces scalability issues.

Inside, the challenge is technical and also relational. OAuth tokens, shared credentials, or back-end integration become bridges. Lateral movement is often a handshake more than a hop.

Vishwa: What threat actor behaviors differ when targeting finance, healthcare, and energy supply chains? How do motivations and tactics vary across these sectors, such as lateral movement in finance, urgency-driven extortion in healthcare, and surveillance in energy?

Ferhat: Each sector draws a different kind of adversary, and the tactics reflect that.

• Finance invests heavily in cybersecurity and operates under tight regulatory scrutiny.
  • As a result, attackers often avoid direct hits. Instead, they go through the side door, targeting service providers like payment processors, document management platforms, or core banking vendors. 
  • The 2025 Financial Services Report highlights that ransomware actors are increasingly leveraging third-party access to reach financial institutions.
• Healthcare is also regulated, but cyber often isn’t near the top of the priority list.
  • According to Black Kite’s 2025 Ransomware Report, hospitals made up just 20% of healthcare ransomware victims last year. 
  • The real soft targets? Offices of physicians and practitioners who accounted for 38% of ransomware attacks in the sector. 
  • These smaller operations often lack dedicated security teams and rely heavily on uptime, making them ideal targets for fast, pressure-based extortion.
• Energy tells a different story.
  • It's a magnet for nation-states and APT actors. 
  • In this sector, the goal is usually not ransom—it’s long-term access and surveillance. 
  • These actors move slowly and quietly, aiming for persistent access rather than quick disruption.

Vishwa: Based on those sector-specific patterns, how should defenders adapt their vendor risk prioritization strategy? Are you seeing different approaches in how institutions assess exposure or escalate issues depending on the industry?

Ferhat: Defenders can’t rely on a generic playbook. Vendor risk has to reflect how attackers actually behave in each sector.

In finance, risk should not be tied only to how big a vendor is. What they’re wired into is also very important. 

Institutions are increasingly prioritizing vendors based on their integration with sensitive systems: payment platforms, trading infrastructure, PoS equipment providers, and customer data environments. 

Concentration risk is becoming a real concern. For instance, in some regions, nearly all banks rely on just one or two vendors for SWIFT connectivity—vendors that aren’t large, but whose compromise would ripple across the sector.

Healthcare is beginning to rethink its approach. The risk tied to third-party EMR systems, imaging platforms, or billing tools is getting more attention, especially as ransomware actors shift toward smaller providers. 

But escalation often still depends on urgency. The issues tend to get prioritized only when there’s a real-world impact or media exposure.

In energy, the focus is sharper. Even small vendors that touch OT or SCADA systems are flagged. The industry treats third-party access paths as potential targets for espionage or disruption, not just compliance gaps.

Across all three, the most forward-leaning organizations are shifting toward risk tiering based on integration depth, attacker interest, and real exposure, not just vendor size or spend. But the pace of that shift varies. 

Some sectors are adapting faster than others.

Vishwa: Given the rise in access-as-a-service marketplaces where threat actors sell footholds into vendor networks, why are legacy technologies in vendors now harder to detect and increasingly attractive to attackers?

Ferhat: Legacy tech is rarely logged, often unmanaged, and sometimes even forgotten by the vendor itself. To threat actors, that’s gold. No EDR. No MFA. Sometimes no patch since 2015. 

And access marketplaces love this stuff. Because it’s cheap to buy, unlikely to get detected, and often overlooked by clients during vendor assessments. 

A legacy Citrix server at a document management vendor? That’s the new crown jewel.

Vishwa: How critical vulnerabilities in vendor infrastructure can persist publicly for months without being remediated, and why alerts don't lead to action?

Ferhat: Because visibility isn’t the same as accountability. Many vendors rely on outsourced IT or have a fragmented infrastructure. 

Even when alerts are public (CVE disclosures, security blogs, scanner detections), someone still has to triage, validate, patch, and test. That workflow breaks down fast. There were over 40,000 CVEs published in 2024. 

Only 760 of them were exploited by the threat actors. In the phase of alert-fatigue, it is easy to miss the ones that will be or already are being exploited.

And unless a customer pushes hard, some vendors don’t act. They don’t see themselves as the target. But attackers do.

Vishwa: Many organizations rely on internal telemetry, such as endpoint, log, and network data, to confirm compromises or threat activity. In the absence of that, how is Black Kite identifying early ransomware staging or access brokerage?

Ferhat: We’re not waiting for a log trail. We want to stay on the left of the boom as a proactive approach. We’re watching the perimeter and monitoring the indicators based on the ransomware group’s mindset.

Black Kite tracks early signs of ransomware targeting through a combination of:

• Vulnerabilities that ransomware affiliates might exploit or are already exploiting.
• Shifts in exposed services (e.g., sudden presence of RDP or FTP)
• Credentials leaked for a specific vendor’s domains
• StealerLogs provides initial access information
• Typical victim profile of ransomware groups (region, industry, annual revenue) to understand how juicy a company is for a threat actor.

We don’t wait to see the endpoint data to spot the smoke. The perimeter often shows fire long before the EDR sees it.

The metric that we devised to reflect these signals, an index between 0 and 1, shows a strong correlation between high susceptibility and actual attacks. Almost half of the companies with a high ransomware susceptibility index experienced a ransomware attack shortly after.

Vishwa: What kinds of external signals give high-confidence indicators of live threat activity when internal data is unavailable or limited?

Ferhat: Even without internal logs or EDR data, there are high-confidence external signals that suggest live or imminent threat activity:

• Leaked credentials tied to corporate domains, especially when seen in StealerLogs or access marketplaces.
• Newly exposed services, like RDP, FTP, or remote management panels suddenly going live. That’s often a staging move.
• Exploitation of known vulnerabilities by ransomware affiliates—if a vendor still runs that vulnerable service, it’s a flashing red light.
• Target alignment with active threat campaigns—region, industry, and size all matter. If you're in the profile of a group that's currently active, that’s a signal.

These signals show more than exposure. They often show intent. And when you can’t see inside, the perimeter becomes your early warning system.

Vishwa: Vendors often face alert fatigue from constant notifications. What types of third-party alerts actually prompt action today, and which ones do security teams tend to deprioritize despite the risk? Are alerts tied to public PoCs, active campaigns, or repeated exposures more effective at triggering a response?

Ferhat: Most vendors today are buried under a pile of alerts. So what actually cuts through?

According to our 2025 Vulnerability Report, vendors are far more likely to act on alerts that are tied to public Proof-of-Concept (PoC) code, exploited in active campaigns, or flagged repeatedly over time. 

These alerts feel real, not theoretical. They carry weight because threat actors are visibly moving on them.

What doesn’t trigger action? Generic vulnerability disclosures without prioritization, outdated CVSS scores, or alerts buried in monthly spreadsheets. 

Vendors are also likely to deprioritize alerts if there’s no external pressure from a client, regulator, or known campaign.

In short: an alert without context is just noise. But when you link it to an exploit in the wild or a group’s active targeting behavior, it becomes a signal. That's when security teams move.