CDK Global's massive cyberattack disrupts operations for 15,000 car dealerships, causing system shutdowns and forcing a shift to manual processes

Continue reading
In the past week, CDK Global, a prominent SaaS provider for car dealerships, suffered back to back cyberattacks. These breaches disrupted services for over 15,000 car dealerships in North America.
This Threatfeed delves into the technical aspects of these attacks, evaluates the impact, and explores potential recovery strategies.
CDK Global delivers a comprehensive SaaS platform catering to car dealerships. Their offerings encompass CRM, financing, payroll, support and service, inventory management, and back-office operations. The integration of an always-on VPN to CDK's data centers enables seamless access to these services for dealerships.
On the night of June 18, CDK Global encountered a cyberattack, prompting the shutdown of IT systems, phones, and applications to contain the threat. This attack incapacitated two data centers, disrupting dealership operations reliant on CDK’s platform.
The attackers likely exploited the always-on VPN connection used by dealerships. This connection grants extensive access to CDK’s platform, making it a prime target for cybercriminals. Moreover, CDK’s software, with administrative privileges on client devices, posed an additional risk.
As CDK began restoring services on June 19, a second breach has transpired. This forced another shutdown, indicating that the initial threat was not fully mitigated. The rapid attempt to restore services without comprehensive security checks may have facilitated this subsequent attack.
While the exact malware remains unidentified, the pattern suggests a ransomware attack. Such attacks involve encrypting data and demanding ransom for decryption. Ransomware also involves data exfiltration, where threat actors use stolen data as leverage.
import paramiko
def connect_vpn(host, user, password):
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(host, username=user, password=password)
return client
# Simulate VPN connection exploitation
vpn_client = connect_vpn('vpn.example.com', 'admin', 'password123')
stdin, stdout, stderr = vpn_client.exec_command('cat /etc/passwd')
print(stdout.read().decode())The attack has caused extensive disruption:
from flask import Flask, request, jsonify
app = Flask(__name__)
# Simple example of token-based authentication
TOKENS = {"valid_token_123": "user1"}
@app.route('/secure-endpoint', methods=['POST'])
def secure_endpoint():
token = request.headers.get('Authorization')
if token in TOKENS:
return jsonify({"message": "Access Granted"})
else:
return jsonify({"message": "Access Denied"}), 403
if __name__ == '__main__':
app.run(debug=True)import pyotp
# Generate OTP for MFA
totp = pyotp.TOTP("base32secret3232")
print("Your OTP is:", totp.now())
# Function to verify OTP
def verify_otp(user_input_otp):
return totp.verify(user_input_otp)
user_otp = input("Enter your OTP: ")
if verify_otp(user_otp):
print("OTP Verified, Access Granted")
else:
print("Invalid OTP, Access Denied")
U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.