We are working with a number of clients who have been impacted by what is, I believe, now officially being referred to publicly by CDK as an attack and, specifically, multiple attacks. This latest development (the threat actors are reaching out to CDK Customers directly) confirms that there was data, at the very least customer lists and contact info, taken during the attack. Details are sketchy and there are a lot of moving parts behind the scenes so this post will be a) short, b) in no particular order and c) vague but there are a number of common questions / concerns / comments that we’re getting that I’m hoping to address with this post.
- For those who don’t know who CDK is or why this may be important, CDK is a Software as a Service (“SaaS”) company that does all of the things for automobile dealers with a client list of around 15,000 dealerships. When I say does all of the things, I literally mean all of the things. CDK manages inventory so, when the dealerships buy, sell or trade vehicles, they do it in CDK and all of the information about the vehicle is in CDK. When a customer wants to buy a vehicle and they apply for credit, CDK. When they get the loan, CDK. When the vehicle is registered, CDK. Taking your vehicle in for repair, yup, CDK. Do you work for a dealership and get payroll, that’s done through CDK. Literally, all of the things. I haven’t seen any specifics on what all may have been exposed but it appears that CDK has shut down everything as a result of this attack. Until we know more, it would probably be safe to assume that any information that you have provided to a dealership was entered into CDK and could be involved in this.
- At this point, we believe that there have been (at least) two attacks, one late Tuesday evening and then a second on Wednesday afternoon.
- The second attack appeared to come after CDK believed that they had cleared some of the environment and started allowing clients to log back in.
- CDK yesterday advised clients (dealerships) that the outage could last several days.
- CDK maintains an always on VPN connection for many / most of their clients giving the clients secure access to the CDK platform and CDK access to the client environment. This VPN connection appears to have been disconnected by CDK at some point but I haven’t seen any indication as to exactly when or how long after the first or second attack.
- The CDK software installed on client systems, typically every system in the fleet, has full access to those systems with the ability to update system files. It wouldn’t be unreasonable to believe that the threat actors used those VPN connections to move beyond CDK to the dealerships.
We are continuing to work closely with our clients that have been impacted by the CDK breach and encouraging all of our clients to use this as a reminder that it’s generally not a matter of if you’ll be the victim of a cyber attack but when and now is an excellent opportunity to review things like your inventory (network equipment, servers, computers, software, etc., do you actually know what you have), user lists (do you have unused accounts, do employees that are no longer there still have active logins, etc.), your patch management process (are all of the assets you have listed in your inventory up to date and actively maintained) and once you’ve verified what you have, test your Incident Response Plan.
Additional Information
- https://www.bleepingcomputer.com/news/security/cdk-global-cyberattack-impacts-thousands-of-us-car-dealerships/
- https://www.cbtnews.com/cdk-global-cyberattack-disrupts-operations-at-15000-dealerships/
- https://www.helpnetsecurity.com/2024/06/20/cdk-cyberattack/
- https://www.reddit.com/r/Justrolledintotheshop/comments/1djn163/comment/l9bssdz/
- https://www.scmagazine.com/news/after-2-hacks-cdk-global-warns-customers-of-social-engineering-attacks
- https://www.cdkglobal.com/