CDK Cyber Attack: Understanding and Preventing Future Threats

In June 2024, CDK Global, a prominent dealership management software provider, suffered a ransomware attack that had far-reaching consequences for the automotive industry. The incident disrupted operations at numerous dealerships and led to substantial financial setbacks, with estimates of over $1 billion in losses, according to an estimate from Anderson Economic Group, an East Lansing, Mich., consulting firm.

‍

Cyberattacks on car dealerships are on the rise, with a notable rise in incidents reported in recent years. According to a 2023 report by CDK, 17% of surveyed dealerships experienced cyber incidents, up from 15% the previous year.

‍

‍

‍

Similarly, between July 2023 and June 2024, there were 4,582 known ransomware attacks, marking a 33% year-on-year increase compared to the previous period. This record-breaking surge surpassed the previous high of 3,434 attacks recorded from July 2022 to June 2023.

‍

Not only did these cybercriminals increase in number, but they also increased in their tactics, demonstrating a drastic reduction in the time from initial access to encryption—now happening in hours rather than weeks.

‍

In this article, Dirox will dive into the ins and outs of this attack underscoring the critical need for robust cybersecurity strategies in the increasingly digital automotive sales and services landscape.

‍

‍

Understanding the CDK Cyber Attack

‍

How Did the CDK Cyber Attack Happen?

June 18, 2024:

• CDK Global experienced a cyberattack and shut down most of its systems to contain the situation.
• Over 150,000 car dealerships across North America experienced significant disruption due to the outage, which is crucial for their day-to-day operations. Many dealerships resort to manual processes, which impact efficiency and customer service.
• Some systems were restored later in the day, but a second attack forced another shutdown.

‍

June 21, 2024:

• A hacking group claiming to be based in Eastern Europe demanded a multi-million dollar ransom.
• The group was identified as BlackSuit, a cybercriminal organization linked to previous attacks which involved encrypting and exfiltrating victim data and hosting public data leak sites for non-compliant victims
• Bloomberg News reported that CDK planned to pay the ransom.

‍

June 22, 2024:

• CDK began a multi-day restoration process.

‍

June 24, 2024:

• CDK informs clients that the shutdown will continue until at least the end of June.
• A small group of dealerships is successfully brought back online for testing.

‍

June 28, 2024:

• CDK continues to bring dealerships back online in phases, with two small groups and one large group restored.

‍

July 1, 2024:

• CDK announces plans to restore services to all dealerships by July 4th.

‍

July 4, 2024:

• All dealerships using CDK are expected to be back online.

‍

CDK’s Communication Strategy

CDK privately communicated with transparent and timely updates to its customers and stakeholders. The company provided regular updates on the status of its systems and the measures being taken to restore services.

‍

This approach was crucial in managing customer expectations and maintaining trust during the crisis. On the other hand, by keeping the communication private, they aimed to prevent the situation from escalating in the public eye.

‍

However, the aftermath was too severe to simply fix through communication, 

‍

‍

Impact on Dealerships and Customers:

‍

The attack had a significant impact on both dealerships and customers:

‍

Dealerships experienced severe disruptions in their sales, finance, and customer service operations. The attack led to system outages and degraded performance, hampering critical functions such as inventory tracking, sales processing, and service scheduling.

‍

Sonic Automotive said car sales fell during a weekslong outage following a cyberattack on its software services provider, CDK Global, and the incident is “reasonably likely to have a material impact” on financial performance.

‍

‍

This situation has resulted in multiple lawsuits against CDK Global, criticizing the company's rushed system restorations, which led to repeated breaches, mostly from employees or people who had used the services of the affected dealerships.

‍

‍

Meanwhile, customers felt the impact through delays and difficulties in purchasing vehicles, obtaining financing, and receiving timely service. The disruption resulted in delayed services, lost sales opportunities, and a significant level of frustration among customers.

‍

In the long term, the data breach has raised serious concerns about data privacy and security, potentially exposing sensitive customer data and leading to identity theft and fraud.

‍

The damage to customer trust and the potential negative impact on future business are significant, with industry experts urging for robust contingency plans and heightened cybersecurity measures to mitigate future disruptions.

‍

‍

Technical Breakdown: How Did the Attack Occur?

‍

Specific technical details about the vulnerabilities are not publicly disclosed, but it is evident that the attack leveraged weaknesses that allowed the hackers to take control of the system and encrypt essential data.

‍

Initial access

‍

It is suspected that BlackSuit employed a combination of phishing and exploiting software vulnerabilities.

Phishing campaigns targeted CDK employees, tricking them into divulging credentials or installing malware. This remains the most common and effective method for compromising network security.

At the same time, car dealerships connect to CDK Global’s services via an always-on VPN, allowing local applications to interface with the platform.

‍

Lateral Movement: Once inside the network, the attackers moved laterally. They used techniques like credential dumping (stealing credentials from the RAM) and exploited weak permissions to access additional systems and sensitive data.

‍

Privilege Escalation: Gaining higher-level permissions, the attackers potentially took control of critical systems, exploiting unpatched software vulnerabilities or leveraging administrative privileges to spread the attack further.

‍

Payload Deployment: The final stage involved deploying ransomware. Files were encrypted which incapacitated CDK’s operations, affecting all dealership services reliant on their systems. This is when the attackers demanded a ransom for decryption keys.

‍

‍

Preventing Future Attacks:

‍

With the increasing sophistication of cyber attacks, dealerships must proactively fortify their defenses to protect sensitive data and maintain customer trust.

‍

‍

Building a Strong Cybersecurity Framework

This involves establishing clear policies and procedures that are regularly reviewed and updated to address emerging threats. A comprehensive framework not only helps in preventing attacks but also ensures a quick recovery in case of a breach.

‍

Essential Technical Safeguards

They are the tools that enforce the cybersecurity framework. Prioritizing firewalls, data encryption, and multi-factor authentication can significantly reduce the risk of unauthorized access and data theft. These safeguards act as the first line of defense against cyber threats.

‍

Employee Training

Training is crucial since human error often leads to security breaches. Regular training sessions on cybersecurity best practices can empower employees to recognize and avoid potential threats. Phishing awareness and secure password management are also essential skills that all employees should possess.

‍

An Incident Response Plan

Companies need a plan that outlines the steps to take to minimize damage and downtime. A clear and practiced response plan can make the difference between a minor setback and a catastrophic loss.

The automotive industry, with its vast network of dealerships, customer databases, and financial transactions, is a lucrative target for cybercriminals. By implementing these measures, dealerships can create a secure environment that safeguards their operations and maintains the integrity of the customer data they hold.

‍

‍

Other Ransomware Cases

‍

Nvidia and Lapsus$

In 2022, Nvidia, a major gaming chipmaker, fell victim to a ransomware attack in which the attackers, known as the ransomware group Lapsus$, stole sensitive data, including Nvidia’s source code and details about their GPUs.

‍

Notably, the stolen source code included the hash rate limiter (LHR), which reduces the efficiency of Nvidia’s chips for cryptocurrency mining.

‍

‍

Lapsus$ made an unusual ultimatum: Nvidia must allow their graphics cards to mine cryptocurrencies faster (by removing LHR) or face the release of their crown-jewel source code. The attackers also demanded that Nvidia make its GPU drivers completely open source.

‍

Nvidia retaliated by… hacking back, they tried installing ransomware on Lapsus$’ computers, but they failed to retrieve their data due to backups.

‍

In the end, to keep their data private, Nvidia settled with Lapsus$, paying a cryptocurrency ransom and agreeing to publish GPU drivers as open source.

‍

WannaCry

The WannaCry attack in 2017 is a well-known example of a ransomware attack that had a significant impact. It affected over 200,000 organizations in 150 countries, including hospitals, banks, and government agencies.

‍

‍

The ransomware arrives as a dropper, containing components for encryption, decryption, and communication. It encrypts files in various formthats (e.g., Microsoft Office files, MP3s) and displays a ransom notice.

‍

Spread by a North Korean hacker collective called The Lazarus Group via a flaw in Microsoft Windows’ implementation of the Server Message Block (SMB) protocol, over 350,000 devices were affected within four days.

‍

Businesses suffered significant data loss, with hundreds of records compromised. Hospitals experienced surgery cancellations due to erased patient files. Even more alarming, ambulances were reportedly rerouted because the attack affected stored GPS information, potentially endangering lives.

‍

A French researcher, Adrien Guinet, later found a way to retrieve the RSA key from the malware files, halting the effectiveness of the attacks. This, combined with Windows’s patches, ended WannaCry’s spread a few days after it began.

‍

These incidents highlight the complex dynamics of ransomware attacks and the trade-offs companies face when dealing with cybercriminals.

‍

‍

Conclusion

‍

The CDK cyber attack serves as a reminder of the ever-present cyber threat landscape. By understanding the attack, its impact, and preventive measures, dealerships can strengthen their defenses and emerge more resilient. Take action today to build a robust cybersecurity strategy and protect your business from future attacks.  Remember, a proactive approach is crucial for ensuring the security of your dealership and your customers' data.

‍

Contact Dirox and discover how our cybersecurity experts can protect your business!

‍