CDK Attack: Why Contingency Planning Is Critical for SaaS Customers

Daily operations at some 15,000 automotive dealers remain impacted as CDK works to restore its dealer management system, following what appears to be a ransomware attack last week.

4 Min Read
CDK Global sign on a building
Source: Jonathan Weiss via Shutterstock

The nationwide impact of a cyberattack on CDK Global last week has focused attention on the need for organizations to have robust contingency plans when they rely heavily on SaaS providers for critical business functions.

The attack disrupted operations at some 15,000 automotive dealers around the country, forcing many to go back to using paper forms and manual processes for their daily operations. In forms filed with the Securities and Exchange Commission (SEC), some companies affected by the attack said CDK had informed them about requiring several days — but likely not weeks — to restore its systems. Companies that notified the SEC about being impacted by the CDK breach included Penske, Group I Automotive, and Lithia Motors.

Ransomware Attack?

CDK, which provides a suite of cloud software and services for the automotive retail industry, has not yet publicly disclosed the nature of the attack that crippled its systems. But some media outlets have attributed the attack to an East European ransomware group called BlackSuit. They have described the threat actor as demanding millions of dollars in ransom from CDK to unlock the company's systems.

CDK did not respond immediately to a Dark Reading request seeking an update on the status of the company's systems restoration efforts and whether it had been able to attribute the attack to the BlackSuit ransomware group.

Attacks like these underscore the critical need for organizations to extend their cybersecurity protections to their entire network of vendors and partners, says Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. "For organizations in sectors heavily reliant on a limited number of software vendors or SaaS providers, mitigating exposure and containing disruptions via the software supply chain requires a multifaceted approach," he says. "Firstly, diversifying vendor relationships where possible can distribute risk and reduce dependency on single providers."

Contingency Planning for SaaS Apps

Organizations that use SaaS services should implement formal risk management frameworks that include stringent security assessments and contractual obligations for cybersecurity standards, Steinhauer says. Collaborative initiatives within industry sectors to share threat intelligence and best practices can also help strengthen collective defenses against evolving cyber threats, he notes.

Mark Ostrowski, head of engineering at Check Point Software, says the broader takeaway from attacks like this is for organizations to assume their infrastructure is a target wherever the resources — applications, servers, and users — might reside.

It's a good idea to determine the service providers and vendors that are most crucial to your business and identify what their measures are for protecting against an attack, and for mitigating and responding to one, if needed.

Ostrowski advises that organizations keep on top of what's going on in the immediate aftermath of a disruptive cyberattack. For instance, following the attack on CDK, threat actors have been calling customers, apparently with information related to the breach, in what would seem to be phishing attempts.

The Rush to Repair

There are lessons in CDK's apparent recovery struggles as well. Soon after the company began recovery efforts last week, it experienced a second attack, right in the midst of its recovery efforts. CDK has not disclosed much about the second attack beyond saying it forced the company to shut down most systems and take them offline.

Pieter Arntz, malware analyst at Malwarebytes, perceives that as an indication of CDK attempting to restore its systems too quickly.

"Many companies will set systems back to a restore from an earlier date, but attackers can afford to linger on a system for long periods of time," Arntz said in an emailed comment. "Restoring systems from, say, a week ago is often not far enough."

The CDK attack also highlights the continued — and growing — exposure that organizations in all sectors face via the software supply chain. According to a study by Data Theorem, 91% of organizations have experienced some kind of security incident tied to their software suppliers and service providers over the past 12 months.

Attacks targeting major players like CDK reveal significant vulnerabilities in critical infrastructure sectors and key industries that rely heavily on software supply chains, Steinhauer says.

"These incidents expose the potential for widespread disruption and economic impact when essential services and operations are compromised," he notes. "They highlight the need for stringent regulatory oversight, enhanced cybersecurity standards, and proactive defense measures to safeguard against targeted attacks on software supply chain leaders."

Strengthening cybersecurity resilience through continuous assessment, response readiness, and collaborative risk management efforts are also critical to mitigating the growing threat landscape posed by sophisticated cyber adversaries, he says.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights