What the CDK Global Breach Can Teach Windows ISVs
On June 18, 2024, CDK Global, a SaaS vendor that provides nearly 15,000 North American car dealerships with sales, service, financing, and insurance software, experienced a massive cyber attack executed by the BlackSuit ransomware gang that encrypted critical files and systems. BlackSuit demanded a ransom from CDK Global in exchange for the encrypted customer data.
On June 19th, CDK Global shut down its IT systems and initiated efforts to recover from the attack. During those efforts, BlackSuit hit CDK Global with a second attack.
CDK’s shutdown crippled its car dealership customers, who were unable to make sales and service appointments, check service customers in and out, and sell and finance cars using CDK systems. Dealerships were forced to move to paper-based systems for close to two weeks in order to conduct any business.
On June 21st, CDK Global paid approximately $25M in Bitcoin to BlackSuit to regain control of the encrypted files and systems, but it took until July 4th for all car dealerships to get back up and running.
In addition to the $25M ransom payment, CDK Global faces at least eight lawsuits from auto dealership customers claiming damages from the attack.
We may never know exactly how BlackSuit was able to penetrate CDK Global’s systems, but many cybersecurity firms have outlined in blog posts the most likely attack scenario.
BlackSuit’s Probable Attack Scenario
According to cybersecurity experts, attackers most often exploit corporate IT system vulnerability in a phased approach.
- Trick employees using phishing or social engineering into installing malware on their computer or to reveal user credentials so the attackers can get an initial foothold in the target company’s system.
- Once in the system, attackers extend their foothold to move laterally through the system using techniques like credential dumping (stealing user credentials from an operating system or software) and exploiting weak permissions (for example, where a low privileged user is permitted to change service configurations) to access additional systems/servers and get to sensitive data or critical systems worth paying a ransom for.
- Additional lateral motion techniques include exploitation of system vulnerabilities, like unpatched software and vulnerable infrastructure, to get access to valuable data.
BlackSuit coordinated its efforts to exploit CDK’s vulnerabilities, aided by a sophisticated technical understanding of the type of systems they would encounter during the attack, and the all-too-common attack opportunities created when a company is not laser-focused on cybersecurity. The BlackSuit attackers’ experience and expertise enabled them to instantly recognize and exploit the opportunities hiding in plain sight in CDK’s systems and infrastructure.
{{CTAEMBED_IDENTIFIER}}
What Can Windows ISVs Learn From the CDK Global Breach?
In addition to being a disaster financially for CDK Global, the breach caused national disruptions in the car-sales-and-service industry and is a cautionary tale for any software company delivering applications to customers using a SaaS model. While the following cybersecurity safeguards are standard best practice, they bear repeating.
Employee Training: the first step in most ransomware attacks is sending phishing emails to employees to trick them into revealing their credentials. Hold periodic training to teach employees about phishing risks to reduce the chance that an attacker gains an initial foothold in your systems due to an employee mistake.
Have a Plan: develop an incident response plan and review it yearly. Run “fire drills” several time a year to prepare staff and management in case of an incident. And don’t forget to include a customer communications plan so you can manage customer expectations during and after an attack.
Control Employee Access: maintain strong controls over authorized users’ access to internal systems. Limit every employee’s access to the absolute minimum they need to do their job. For employees that need access to internal systems, ensure that they use strong passwords and multi-factor authentication. Additionally, regularly audit user accounts and close legacy accounts that are no longer used—the older the account, the better the chances that it has an easy-to-guess password and is not secured by multi-factor authentication.
Enhanced security protocols: regularly update and patch software systems to close known vulnerabilities and prevent exploits.
Regular Data Backup: regularly back up critical data and systems and securely store backups offsite so you can recover in case of an attack. Your incident response plan should include the process for quickly retrieving backups to avoid leaving your customers “dead in the water” for long.
Restrict use of Microsoft Remote Desktop Protocol (RDP): According to Sophos, a U.K. cybersecurity company, in 77% of the 2023 attacks they tracked, Microsoft® Remote Desktop Protocol (RDP) was used to leverage compromised credentials for internal access or lateral movement within the system. Sophos believes that RDP remains “one of the most widely abused tools” because it comes pre-installed on most Windows® OS, and prior to Windows 11, was not configured with brute force protection.
To reduce risk, Sophos advises organizations using RDP (which includes Windows ISVs using Microsoft RDS to deliver applications to customers) to severely limit its use. How? First, ensure that customers using Windows 11 have not disabled Account Lockout Policy; second, ensure that customers using Windows 10 and 8.1 enable Account Lockout Policy on their machines. Or, you can require that your customers disable RDP between remote desktop sessions.
Or…Stop Using RDP and RDS.
If you are using RDS and RDP to deliver your Windows application to customers, and want to eliminate the high risks associated with using RDP without requiring you to dictate the Windows settings on your customers’ Windows machines, stop using RDS and RDP.
Stop using RDS and RDP? How?
There is one solution for delivering Windows applications to customers located anywhere that eliminates the need to use RDS and RDP.
GO-Global® provides full replacements for Microsoft’s multi-session functionality, Remote Desktop Services, and Remote Desktop Protocol. GO-Global replaces RDP with RapidX Protocol (RXP), a proprietary, low bandwidth protocol. Because RXP is closed source, it offers additional defense against attackers, compared to RDP’s open-source protocol.
For additional security, GO-Global includes 2FA, which renders brute force and dictionary password searches useless. And GO-Global + SSO provides support for OpenID Connect, which allows organizations to use modern identity providers enable single sign-on into GO-Global Windows hosts.
To request a GO-Global demo, click here; for a free 30-day GO-Global trial, click here.
See how GO-Global provides secure and easy access to Windows Applications