Jun 25

Ransomware at CDK Global: What’s Behind the Headlines?

Thales CipherTrust Secrets Management — Ransomware drives organizations to modernize IT/OT infrastructure

CDK Global, a prominent provider of Dealer Management System (DMS) software serving 15,000 car dealerships across the USA, experienced a catastrophic service outage starting last Tuesday, June 18th. The prolonged disruption is causing significant operational damage to numerous dealerships. As of now, there is no clear timeline for service restoration. Reports indicate that CDK Global is in negotiations with an Eastern European cybercrime group for a ransom payment, highlighting the severity of the ransomware attack which has likely destroyed their IT infrastructure, including backups.

However, the underlying vulnerabilities that facilitated this attack deserve closer examination. Here are the known attack surface elements in CDK software commonly exploited by ransomware operators:

1. Vulnerable VPN Infrastructure

CDK relies on car dealerships connecting to the CDK Global "data center" via a VPN infrastructure. We know that publicly exposed VPN "boxes" have been a particular focus for ransomware operators in recent months, and unfortunately, no firewall vendor has been spared, routinely exposing customers to weeks or months of unpatched zero-day vulnerabilities (see some recent examples here). Generally, running self-hosted internet-facing services such as VPN gateways, web applications, and others, makes the attack surface very hard to defend, especially when the architecture is not cloud native and requires manual maintenance.

2. "Always-On" VPN Connections

Additionally, CDK appears to configure "always-on" VPN connections for their customers. We do not know if this involves installing VPN “boxes” at each dealership, or if it’s a software VPN client installed on Windows clients accessing the application. In any case, the number of maintenance points is huge (remember, 15000 dealerships appear to be using the software), in many cases relying on the dealership to enforce IT security of its operations (which is not a given). Threat actors can rely on infostealer malware installed on a computer within a dealership to steal credentials and perhaps pivot to CDK’s network on the other side of the VPN tunnel.

3. Lack of Widespread Multi-Factor Authentication (MFA)

Despite mentioning MFA, CDK's implementation seems to be more of a monetized add-on rather than a default security measure. Unfortunately, legacy architectures are particularly resistant to the introduction of MFA, and it’s hard to expect many dealerships would pay for this option (usually associated with user friction and additional complications, especially in on-premises environments). Therefore, most employees at dealerships are probably relying on good old passwords. Yet, in today’s threat landscape, even large providers are discovering the urgency of MFA by default.

4. Elevated Privileges and Software Update Risks

The CDK client software runs with admin privileges, which the provider uses for delivering updates. So, it's not surprising that CDK is now asking users to manually disable their VPN tunnels because they fear mutual lateral movement by the threat actor, and likely also "supply-chain" attacks on the dealerships (through the "update" functionality).

5. Legacy Client/Server Architecture

Lastly, CDK is basing its service on legacy client/server software (see example GUI below), that has been adapted into some kind of IaaS and finally marketed as "SaaS" (although it has nothing with cloud-native architecture SaaS providers usually base their service on).

Unfortunately, this means very complicated infrastructure maintenance involving lots of manual work, further complicated by self-hosted solutions from many vendors. In such environments, errors are inevitable, patches can be delivered late, and the attack options are plenty. We know it’s hard to maintain such infrastructure even for larger providers – see the Rackspace Exchange incident as an example.

Given the above factors, it’s unsurprising that CDK Global succumbed to the attack. One hopes the recovery will not take too long and that CDK has learned a lesson: infrastructure and software need to be modernized – it’s the best route to reducing the cyber attack surface. Threat actors know that all too well. It’s time for companies to also awaken to this fact.

For more detailed information about the CDK Global cyberattack, visit Help Net Security's blog.