One Click That Shutdown 15,000 Businesses, the CDK Hack
What started out as a peaceful shift for one of the country’s largest Auto Dealer Software-as-a-Service vendor, turned into a nightmare. By 2:00AM, the security team determined that they needed to shut down two of their data centers to stop the ransomware from spreading.
The vendor is CDK Global and they provide software services for over 15,000 car dealerships nationwide. They provide a platform that handles all aspects of an auto dealership’s operation including customer relationship management, financing, payroll, support and service, inventory, and back-office operations. On June 19th, CDK announced there was a cyber incident they were investigating, and services were not available. They started restoring service later in the day, but then they had a second cyber incident which caused them to take the systems offline again.
What makes the problem more complicated is that their clients are always connected to their network through an “always-on” VPN. This provides a tunnel from the client to the data centers. Normally that would be a good thing, but in this case, the always-on VPN just extended a network that was poisoned by ransomware. They recommended that the clients disconnect so that the hacker could not “pivot” from the CDK network to the client dealership network. What was even more critical was that the CDK software had administrative privilege on the client systems to do software updates. Hacking that software would give the attackers admin access to the local computers. Thankfully no clients reported any contagion.
This attack caused widespread disruption at car dealerships with no ability to track and order car parts, conduct new sales and offer financing. Some dealerships shut down completely, while others reverted to the tried-and-true method of pen and paper assisted by spreadsheets. They are projecting to have all their clients fully operational by July 4th. However, the damage has been done. The disruption comes at a cost to CDK and the dealerships an estimated $944M.
The attacker is purported to be a hacking group identified as BlackSuit, who although only starting a couple years ago, have been responsible for over 95 breaches across the globe. They are known for using a technique called “double extortion.” During the breach, they upload the victim’s data to their server before encrypting (locking) the data on the client system. They request a ransom for the key to unlock the data allowing the victim to continue operations. Additionally, they also threaten to release the data on the dark web if the victim does not pay a second ransom.
This breach may have been avoided if CDK fully implemented Zero-Trust methods. In a Zero-Trust environment, it is assumed hackers are on the network and only trusted applications can run. Application whitelisting would have stopped this attack in its tracks. Whitelisting allows only those known trusted applications to run on the network. Any new application, like ransomware, would not be allowed to run.
The attack also highlighted the importance of being prepared for anything. All businesses should have a Contingency Operations Plan written and validated prior to any incident or emergency. Those dealerships that adapted the process without a computer could continue to sell and service vehicles. Those that did not have a plan suffered.
The ray of sunshine in this otherwise dreary incident was that our local dealerships were unaffected by the attack. All the dealerships from Sierra Vista to Tucson escaped this disaster as they do not use the CDK service for their management.
For CDK, one improper click costs them and their clients a billion dollars. Implementing Zero-Trust concepts and employing continuous cybersecurity training would have been a much more cost-effective solution. The problem is many companies don’t really understand that until it is too late.
The original article was published in the Sierra Vista Herald here.