Get a demo

Voyager18 (research)

Unraveling the CDK Global Cyber attack

CDK has faced two major cyber attacks in June 2024. Here's everything you need to know.

Yair Divinsky | June 30, 2024

In June 2024, CDK Global, a prominent provider of software-as-a-service (SaaS) solutions for automotive dealerships, faced two severe cyber attacks. These incidents disrupted operations for thousands of dealerships across North America. This post explores the technical details of these attacks, the vulnerabilities exploited, and the broader implications.

TL;DR

Affected products: 

Car dealership SaaS platform CDK Global 

Product category: 

SaaS Security 

Severity: 

Critical 

Type: 

Data Breach 

Impact: 

Total system shut down 

Exploit in the wild 

Yes 

Remediation action 

– Monitor systems for signs of unauthorized access or suspicious activity. 

– Update security software and implement strong password policies 

CDK Global, a software-as-a-service platform which provides a full suite of applications to handle a car dealership’s operation, including sales, CRM, back office, financing, inventory management, service and support, was hit by a massive cyber attack on June 19, 2024. This attack forced the company to shut down its systems to prevent further damage. Just as recovery efforts began, a second breach occurred, exacerbating the disruption. 

Brad Holton, CEO of Proton Dealership IT, a firm specializing in cyber security and IT services for car dealerships, informed that CDK was forced to take both of its data centers offline around 2 AM to mitigate the attack’s impact. 

 

Technical analysis

The attack vectors used in these breaches likely involved a combination of phishing and exploiting software vulnerabilities: 

Initial access

The attackers possibly initiated the breach through phishing campaigns, tricking employees into divulging credentials or installing malware. This method remains one of the most common and effective means of compromising network security.

Car dealerships use CDK Global’s services by maintaining an always-on VPN connection to the provider’s data centers, enabling their local applications to interface with the platform. 

The cyber attack experienced by CDK Global, prompted the company to shut down its IT systems, telephones, and applications to contain the threat. 

Lateral movement

Once inside, the attackers used tools to move laterally across the network. Techniques such as credential dumping and exploiting weak permissions allowed them to access additional systems and sensitive data.

Privilege escalation

By gaining higher-level permissions, the attackers could take control of critical systems. They likely exploited unpatched software vulnerabilities or used administrative privileges to spread the attack further.

Payload deployment

The final stage involved deploying ransomware, encrypting files, and demanding a ransom for decryption keys. This incapacitated CDK’s operations, affecting all dealership services reliant on their systems.

Concerns of cyber criminals exploiting the always-on VPN to infiltrate car dealerships’ internal networks are constantly growing. An IT professional from one dealership reported to that CDK recommended disconnecting the always-on VPN as a precautionary measure. 

Holton, CEO of Proton Dealership IT, noted that CDK software (which runs with administrative privileges for updates) might be the reason behind the advice to sever the connection to CDK’s data centers.

Meanwhile, some users have managed to log in using legacy credentials upgraded during CDK’s shift to a modern single sign-on system. However, BleepingComputer has reported that the application is not functioning as expected. 

 

Does the CDK breach affect me?

As per recent filings with the agency, at least six companies have informed the Securities and Exchange Commission that the ransomware attack on CDK Global, a key software provider for the automotive industry, has negatively impacted their operations. Darkreading describes how the cyber attacks have had significant repercussions for over 15,000 car dealerships using CDK’s services. According to CNN’s report, these dealerships rely on CDK for managing sales, inventory, customer relationships, and financial transactions. The attacks have left many unable to perform daily operations, forcing some to resort to manual processes or halt activities entirely. 

The sequence of attacks suggests a coordinated effort to exploit CDK’s vulnerabilities. The attackers’ ability to execute a second breach while the company was recovering from the first indicates a sophisticated and persistent threat actor. Such coordinated attacks are often seen with ransomware groups, which systematically exploit vulnerabilities to maximize disruption and financial gain.

What has been the impact of the CDK breach?

There is a significant risk that sensitive data, including customer and financial information, may have been compromised. The attackers could have accessed and exfiltrated this data during the breaches, posing risks of identity theft and financial fraud.

CDK Global spokesperson Lisa Finney told BleepingComputer that CDK has been working with third-party cyber security experts to assess and mitigate these risks. 

Indicators of compromise (IOCs) 

Several IOCs have been identified that could help in detecting similar attacks: 

  • Unusual network activity – Increased network traffic from unfamiliar IP addresses or unusual login patterns. 
  • System anomalies – Unexpected system shutdowns, sluggish performance, or unexplained file changes.
  • Phishing attempts – A surge in phishing emails targeting employees to gain initial access 

“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems,” Finney told BleepingComputer. 

“In partnership with third party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.” 

 

How to take action against the CDK breach

Immediate response actions  

In response to the breaches, CDK has taken several steps to mitigate the impact and prevent further damage: 

  • System shutdowns – Temporarily shutting down systems to prevent the spread of the attack and limit damage. 
  • Collaboration with expert –  Engaging third-party cyber security firms to assist in the investigation and recovery process. 
  • Customer communication – Informing affected dealerships and providing guidance on protective measures.

Long-term mitigation strategies

To prevent future incidents, several long-term strategies should be implemented: 

  • Enhanced security protocols – Regularly updating and patching systems to close known vulnerabilities and prevent exploits. 
  • Employee training – Educating employees about phishing risks and best practices for cyber security to reduce the likelihood of initial compromises. 
  • Advanced threat detection – Investing in sophisticated threat detection and response tools to identify and mitigate attacks more effectively. 
  • Regular backups – Ensuring regular backups of critical data and systems, stored in secure, off-site locations, to facilitate recovery in the event of an attack 

The cyber attacks on CDK Global highlight the growing vulnerabilities in modern digital infrastructures, particularly in industries heavily reliant on interconnected systems. By understanding the technical details of these attacks and implementing robust security measures, organizations can better protect themselves against future threats. 

The incidents underscore the importance of proactive cyber security strategies and the need for continuous vigilance in an ever-evolving threat landscape.

 

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Q1 2024 Vulnerability Watch
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Multi-cloud security challenges – a best practice guide
  5. How to properly tackle zero-day threats

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

“The only free RBVM tool out there The only free RBVM tool lorem ipsum out there. The only”.

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png