Car delivery software-as-a-service provider CDK Global was hit by a massive cyber attack, causing the company to shut down its systems and leaving customers unable to operate their business normally.
CDK Global offers customers in the auto industry a SaaS platform that handles all aspects of running a car dealership, including CRM, financing, payroll, support and service, inventory and back office operations.
The company is used by over 15,000 car dealers in North America and has thousands of employees across the country.
To use CDK’s services, car dealers set up an always-on VPN in the SaaS provider’s data centers, allowing their on-premise applications to access the platform.
Last night and into this morning, CDK Global suffered a cyber attack that caused its IT systems, phones and applications to be shut down to prevent the attack from spreading.
Brad Holton, CEO of Proton Dealership IT, a cybersecurity and IT services firm for car dealerships, told BleepingComputer that the attack caused CDK to shut down its two data centers around 2 a.m. last night.
Employees at multiple car dealerships have also told BleepingComputer that CDK hasn’t shared much information other than sending out an email warning they’ve suffered a cyber incident.
“We are currently experiencing a cyber incident. Out of care and concern for our customers, we have shut down most of our systems,” said an email shared with BleepingComputer.
“We are currently assessing the overall impact and currently do not have an ETA.”
Some of these employees also shared concerns that threat actors could use the always-on VPN to move into the car dealership’s internal network.
An IT professional for a vendor told BleepingComputer CDK advised them to disconnect the always-on VPN carelessly.
Holton explained that the CDK software running on the device has administrative privileges used to deploy updates, which may explain why CDK recommends disconnecting from data centers.
While some users have stated that they can log in with legacy credentials that were upgraded during CDK’s transition to a modern single sign-on platform, BleepingComputer has been told that the app is not working as expected.
If you have any information about this incident or any other undisclosed attack, you can contact us confidentially via Signal at 646-961-3731 or at [email protected].
Widespread disruption
The outage has led to widespread disruption among car dealers using their platform to track and order car parts, make new sales and offer financing.
Employees have reported on Reddit that they had nothing to do or were forced to revert to paper and pencil. Some stores are sending employees home all day because of the outages.
“We’re almost at that point… no parts, no RO, no time… just dead vehicles with nothing to show for it or parts to fix them,” a dealership employee posted on Reddit.
“Excel spreadsheets and post notes for every piece we’re handing out. No big deal going on,” commented another employee.
While there has been no official statement from CDK, it is said that the company suffered a ransomware attack that also affected its backups.
BleepingComputer has not been able to independently confirm this information, but if it was a ransomware attack, the outages would likely last for days, if not the next week and longer.
When ransomware gangs breach corporate networks, they silently spread to other devices while stealing corporate data.
After all the data is stolen and the threat actors gain administrative privileges, they encrypt all the devices on the network, leaving behind ransom notes with instructions to contact the hackers.
Encrypted devices and stolen data are used in double extortion schemes, where threat actors demand a ransom payment to provide a decryptor and to delete and not release any stolen data.
These negotiations can take weeks, and if a reward isn’t paid, threat actors eventually extract corporate data, which typically includes personal information of employees and, potentially, customers.
Update 6/19/24: CDK shared the following statement with BleepingComputer:
“We are actively investigating a cyber incident. Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything back up and running as soon as possible.” – CDK.