Vorlon Blog

CDK Global's Breach - And How Vorlon Can Help

Written by Jonathan Reshef | Aug 22, 2024 9:22:36 PM

What happened?

In June 2024, CDK Global suffered a breach at the hands of BlackSuit ransomware group, causing them to shut down major data centers and IT Systems twice within two days.

BlackSuit managed to leverage employee credentials that they then used to move laterally through CDK systems and grant themselves administrative privileges.

With the exploited credentials and admin privileges, BlackSuit deployed ransomware, which led to operational delays, financial losses, and multiple lawsuits against CDK Global.

What if they had Vorlon?

Today, many breaches occur by leveraging valid credentials created by the impacted company, so it's hard to tell that the attacker leveraging the credentials is not “valid.”

This is precisely where Vorlon comes in to help. With Vorlon, CDK would have been alerted to the new connection to their system early, and Vorlon would have provided a few different alerts / alert types to notify them of this malicious behavior. 

Here is a brief overview of some of those alerts:

  • Secret Sharing Detected- Vorlon will raise a new secret sharing detected alert whenever it detects traffic using a secret that has been previously used by a different application.
  • Sensitive Data Access - Vorlon will raise a sensitive data access alert whenever a new endpoint is detected that provides data which includes sensitive information.
  • Unknown Source IP - Vorlon will raise a new unknown source IP alert whenever traffic from a new unknown IP that cannot be identified against the catalog of apps is detected
  • Unknown Source Geolocation - Vorlon will raise an unknown source geolocation alert whenever it detects traffic from a previously unidentified geolocation .
  • Dormant Secret Observed - Vorlon will raise a dormant secret observed alert when it detects a secret that has been inactive for an extended period but is suddenly activated again.

Vorlon has the capability to help you secure your third-party applications and provide a level of visibility that is otherwise difficult to achieve.

Don’t rely on legal agreements with your vendor to secure your data, take back control and provide yourself with a way to secure it. 
View full post