CDK Attack: Why Contingency Planning Is Critical for SaaS Customers

The nationwide impact of a cyberattack on CDK Global last week has focused attention on the need for organizations to have robust contingency plans when they rely heavily on SaaS providers for critical business functions.

The attack disrupted operations at some 15,000 automotive dealers around the country, forcing many to go back to using paper forms and manual processes for their daily operations. In forms filed with the Securities and Exchange Commission (SEC), some companies affected by the attack said CDK had informed them about requiring several days — but likely not weeks — to restore its systems. Companies that notified the SEC about being impacted by the CDK breach included Penske, Group I Automotive, and Lithia Motors.

Ransomware Attack?

CDK, which provides a suite of cloud software and services for the automotive retail industry, has not yet publicly disclosed the nature of the attack that crippled its systems. But some media outlets have attributed the attack to an East European ransomware group called BlackSuit. They have described the threat actor as demanding millions of dollars in ransom from CDK to unlock the company's systems.

CDK did not respond immediately to a Dark Reading request seeking an update on the status of the company's systems restoration efforts and whether it had been able to attribute the attack to the BlackSuit ransomware group.

Attacks like these underscore the critical need for organizations to extend their cybersecurity protections to their entire network of vendors and partners, says Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. "For organizations in sectors heavily reliant on a limited number of software vendors or SaaS providers, mitigating exposure and containing disruptions via the software supply chain requires a multifaceted approach," he says. "Firstly, diversifying vendor relationships where possible can distribute risk and reduce dependency on single providers."

Contingency Planning for SaaS Apps

Organizations that use SaaS services should implement formal risk management frameworks that include stringent security assessments and contractual obligations for cybersecurity standards, Steinhauer says. Collaborative initiatives within industry sectors to share threat intelligence and best practices can also help strengthen collective defenses against evolving cyber threats, he notes.

Mark Ostrowski, head of engineering at Check Point Software, says the broader takeaway from attacks like this is for organizations to assume their infrastructure is a target wherever the resources — applications, servers, and users — might reside.

It's a good idea to determine the service providers and vendors that are most crucial to your business and identify what their measures are for protecting against an attack, and for mitigating and responding to one, if needed.

Ostrowski advises that organizations keep on top of what's going on in the immediate aftermath of a disruptive cyberattack. For instance, following the attack on CDK, threat actors have been calling customers, apparently with information related to the breach, in what would seem to be phishing attempts.

The Rush to Repair

There are lessons in CDK's apparent recovery struggles as well. Soon after the company began recovery efforts last week, it experienced a second attack, right in the midst of its recovery efforts. CDK has not disclosed much about the second attack beyond saying it forced the company to shut down most systems and take them offline.

Pieter Arntz, malware analyst at Malwarebytes, perceives that as an indication of CDK attempting to restore its systems too quickly.

"Many companies will set systems back to a restore from an earlier date, but attackers can afford to linger on a system for long periods of time," Arntz said in an emailed comment. "Restoring systems from, say, a week ago is often not far enough."

The CDK attack also highlights the continued — and growing — exposure that organizations in all sectors face via the software supply chain. According to a study by Data Theorem, 91% of organizations have experienced some kind of security incident tied to their software suppliers and service providers over the past 12 months.

Attacks targeting major players like CDK reveal significant vulnerabilities in critical infrastructure sectors and key industries that rely heavily on software supply chains, Steinhauer says.

"These incidents expose the potential for widespread disruption and economic impact when essential services and operations are compromised," he notes. "They highlight the need for stringent regulatory oversight, enhanced cybersecurity standards, and proactive defense measures to safeguard against targeted attacks on software supply chain leaders."

Strengthening cybersecurity resilience through continuous assessment, response readiness, and collaborative risk management efforts are also critical to mitigating the growing threat landscape posed by sophisticated cyber adversaries, he says.