- Platform
OVERVIEW
Capabilities
- Solutions
USE CASES
- Cyber Risk Hub
LIBRARY
- Company
GET TO KNOW US
- Pricing
CDK has faced two major cyber attacks in June 2024. Here's everything you need to know.
In June 2024, CDK Global, a prominent provider of software-as-a-service (SaaS) solutions for automotive dealerships, faced two severe cyber attacks. These incidents disrupted operations for thousands of dealerships across North America. This post explores the technical details of these attacks, the vulnerabilities exploited, and the broader implications.
| Affected products: | Car dealership SaaS platform CDK Global |
| Product category: | SaaS Security |
| Severity: | Critical |
| Type: | Data Breach |
| Impact: | Total system shut down |
| Exploit in the wild | Yes |
| Remediation action | – Monitor systems for signs of unauthorized access or suspicious activity. – Update security software and implement strong password policies |
CDK Global, a software-as-a-service platform which provides a full suite of applications to handle a car dealership’s operation, including sales, CRM, back office, financing, inventory management, service and support, was hit by a massive cyber attack on June 19, 2024.
This attack forced the company to shut down its systems to prevent further damage. Just as recovery efforts began, a second breach occurred, exacerbating the disruption.
Brad Holton, CEO of Proton Dealership IT, a firm specializing in cyber security and IT services for car dealerships, informed that CDK was forced to take both of its data centers offline around 2 AM to mitigate the attack’s impact.
The attack vectors used in these breaches likely involved a combination of phishing and exploiting software vulnerabilities:
The attackers possibly initiated the breach through phishing campaigns, tricking employees into divulging credentials or installing malware. This method remains one of the most common and effective means of compromising network security.
Car dealerships use CDK Global’s services by maintaining an always-on VPN connection to the provider’s data centers, enabling their local applications to interface with the platform.
The cyber attack experienced by CDK Global, prompted the company to shut down its IT systems, telephones, and applications to contain the threat.
Once inside, the attackers used tools to move laterally across the network. Techniques such as credential dumping and exploiting weak permissions allowed them to access additional systems and sensitive data.
By gaining higher-level permissions, the attackers could take control of critical systems. They likely exploited unpatched software vulnerabilities or used administrative privileges to spread the attack further.
The final stage involved deploying ransomware, encrypting files, and demanding a ransom for decryption keys. This incapacitated CDK’s operations, affecting all dealership services reliant on their systems.
Concerns of cyber criminals exploiting the always-on VPN to infiltrate car dealerships’ internal networks are constantly growing. An IT professional from one dealership reported to that CDK recommended disconnecting the always-on VPN as a precautionary measure.
Holton, CEO of Proton Dealership IT, noted that CDK software (which runs with administrative privileges for updates) might be the reason behind the advice to sever the connection to CDK’s data centers.
Meanwhile, some users have managed to log in using legacy credentials upgraded during CDK’s shift to a modern single sign-on system. However, BleepingComputer has reported that the application is not functioning as expected.
As per recent filings with the agency, at least six companies have informed the Securities and Exchange Commission that the ransomware attack on CDK Global, a key software provider for the automotive industry, has negatively impacted their operations. Darkreading describes how the cyber attacks have had significant repercussions for over 15,000 car dealerships using CDK’s services. According to CNN’s report, these dealerships rely on CDK for managing sales, inventory, customer relationships, and financial transactions. The attacks have left many unable to perform daily operations, forcing some to resort to manual processes or halt activities entirely.
The sequence of attacks suggests a coordinated effort to exploit CDK’s vulnerabilities. The attackers’ ability to execute a second breach while the company was recovering from the first indicates a sophisticated and persistent threat actor. Such coordinated attacks are often seen with ransomware groups, which systematically exploit vulnerabilities to maximize disruption and financial gain.
There is a significant risk that sensitive data, including customer and financial information, may have been compromised. The attackers could have accessed and exfiltrated this data during the breaches, posing risks of identity theft and financial fraud.
CDK Global spokesperson Lisa Finney told BleepingComputer that CDK has been working with third-party cyber security experts to assess and mitigate these risks.
Several IOCs have been identified that could help in detecting similar attacks:
“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems,” Finney told BleepingComputer.
“In partnership with third party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.”
In response to the breaches, CDK has taken several steps to mitigate the impact and prevent further damage:
To prevent future incidents, several long-term strategies should be implemented:
The cyber attacks on CDK Global highlight the growing vulnerabilities in modern digital infrastructures, particularly in industries heavily reliant on interconnected systems. By understanding the technical details of these attacks and implementing robust security measures, organizations can better protect themselves against future threats.
The incidents underscore the importance of proactive cyber security strategies and the need for continuous vigilance in an ever-evolving threat landscape.
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: