CDK attack shows the value of SaaS emergency planning

The nationwide impact of a cyberattack on CDK Global last week has drawn attention to the need for robust business continuity plans when organizations rely heavily on SaaS providers for critical business functions.

The attack disrupted operations in around 15,000 car dealers throughout the country, forcing many to stop consuming Paper forms and manual processes for their daily operations. In forms filed with the Securities and Exchange Commission (SEC), some companies affected by the attack said CDK informed them that restoring their systems would take several days – but probably not weeks. Companies that notified the SEC of their impact from the CDK attack included Penske, Group I AutomobileAnd Lithia Motors.

Ransomware attack?

CDK, which offers a range of cloud software and services for the automotive trade, has not yet publicly disclosed the nature of the attack that brought down its systems. However, some media outlets have attributed the attack to an Eastern European ransomware group called Black suitYou described the threat actor as demanded ransom in the millions from CDK to unlock the company’s systems.

CDK did not immediately respond to a request from Dark Reading seeking an update on the status of efforts to restore the company’s systems and whether the attack could be attributed to the BlackSuit ransomware group.

Attacks like these underscore the urgent need for companies to extend their cybersecurity measures to their entire network of suppliers and partners, says Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. “For companies in industries that rely heavily on a limited number of software or SaaS vendors, mitigating exposure and containing disruption across the software supply chain requires a multi-pronged approach,” he says. “First, diversifying supplier relationships where possible can spread risk and reduce dependence on any one vendor.”

Emergency planning for SaaS apps

Organizations that use SaaS services should implement formal risk management frameworks that include rigorous security assessments and contractual commitments to cybersecurity standards, Steinhauer says. Joint initiatives within industries to share threat intelligence and best practices can also help strengthen collective defenses against evolving cyber threats, he notes.

Mark Ostrowski, chief technology officer at Check Point Software, says that when attacks like this occur, organizations should generally assume that their infrastructure is a target, wherever the resources – applications, servers and users – are located.

It is a good idea to identify the service providers and suppliers that are most important to your business and find out what measures they take to protect against attacks and what steps they take to defend against and respond to them if necessary.

Ostrowski advises organizations to stay informed about the immediate consequences of a disruptive cyberattack. After the attack on CDK, for example, threat actors Call customersapparently with information related to the breach, which is suspected to be a phishing attempt.

The rush for repairs

There are also lessons to be learned from CDK’s apparent difficulty in recovering the system. Shortly after the company began recovery efforts last week, it was hit in the middle of a second attack. CDK hasn’t revealed much about the second attack, other than to say that it forced the company to shut down most systems and take them offline.

Pieter Arntz, malware analyst at Malwarebytes, interprets this as an indication that CDK is trying to restore its systems too quickly.

“Many organizations roll back their systems to a previous restore point, but attackers can afford to linger on a system for a long time,” Arntz said in an emailed comment. “Restoring systems from, say, a week ago is often not enough.”

The CDK attack also underscores the ongoing – and increasing – Exposure, organizations of all sectors across the software supply chain. According to a study by Data theorem91% of organizations have experienced security incidents related to their software vendors and service providers in the last twelve months.

Attacks on major players like CDK expose significant vulnerabilities in critical infrastructure sectors and key industries that rely heavily on software supply chains, Steinhauer says.

“These incidents demonstrate the widespread disruption and economic impact that can occur when critical services and operations are compromised,” he notes. “They underscore the need for strict regulatory controls, enhanced cybersecurity standards and proactive defenses to protect against targeted attacks on leading software suppliers.”

Strengthening cybersecurity resilience through continuous assessment, responsiveness and joint risk management efforts is also critical to containing the growing threat landscape posed by sophisticated cyber adversaries, he says.