By Paul Pajares (Senior Threat Researcher, Automotive)
CDK Global, a US-based multinational enterprise, experienced outages starting June 19, 2024, due to an alleged ransomware attack perpetrated by the BlackSuit ransomware group. The company provides software solutions that facilitate seamless connections between automotive dealers and manufacturers (OEMs), thereby enhancing the customer experience. CDK uses open and universal technology and application programming interfaces (APIs) to unify and translate customer details, payment estimations, real-time vehicle inventory status, and sales documentation from OEM websites via dealership workflows. This interconnected data system is crucial for electric vehicles (EVs) and relies heavily on third-party software like CDK’s for dealership management.
Incident overview
The interconnected nature of the automotive ecosystem — which includes components dependent on integration for interoperability, particularly through API services — opens and widens attack surfaces. This situation necessitates enhanced security strategies. For example, VicOne has partnered with 42Crunch to address increasing API security risks.
According to our findings in the VicOne Automotive Cyberthreat Landscape Report 2023, incidents related to applications and APIs accounted for 12% of the automotive cyberattacks and security incidents from the second half of 2022 to the first half of 2023 — the third most prevalent category. The same report also found that within the same time frame, third parties (41%) and suppliers (34%) were the most prone to cyberattacks, followed by dealers (16%) and OEMs (9%).
CDK’s service halt has set off a domino effect, crippling more than 15,000 car dealers in North America. Two weeks post-incident, CDK is slowly booting up and recovering, but it might take time to completely return to normal operations.
Incident aftermath
The CDK outage has severely impacted car dealers and sellers, making them inoperative. The incident, affecting thousands of car dealers, is considered one of the most significant in automotive history. Estimated direct losses could reach US$944 million if the outage lasts three weeks. Car dealership staff have resorted to manual methods like pen and paper and Excel. Additionally, customers have faced scam calls and phishing links promising rush restoration for a fee, while at least one legitimate automotive platform has offered rescue services to paralyzed dealers. The reliance on CDK’s software has led to disruptions in sales, new vehicle purchases, and vehicle registrations, significantly affecting major automotive dealers, such as Asbury.
The BlackSuit ransomware group
As of June 26, 2024, BlackSuit’s victim list comprises 81 entities, predominantly in the US (66.7%). Other affected countries include the UK, Canada, and the Netherlands. BlackSuit impacts industries like manufacturing, education, healthcare, construction, and IT consulting, the industry that includes CDK (although the company is yet to be listed by BlackSuit as a victim, possibly because negotiations between the two parties is still ongoing).
Figure 1. The distribution by industry of victims claimed by the BlackSuit ransomware group as of June 26, 2024
Lessons learned and recommended prevention strategies
In light of this recent attack and given that numerous car dealers rely on CDK’s third-party software, it is important to discuss some critical lessons learned and recommended security strategies for entities across the automotive supply chain to prevent and respond to future incidents:
- Redundancy and failover mechanisms: The CDK incident demonstrates the need for redundancy and failover mechanisms to prevent large-scale outages. Car dealers’ reliance on third-party software underscores the importance of incorporating these mechanisms to ensure minimal downtime by reverting to backup systems.
- Data backup and recovery plans: Regular backups and robust data backup enforcement are key to avoiding data loss and corruption. The 3-2-1 backup rule is recommended: keeping two copies stored in separate media and one copy off-site. CDK’s potential payment of tens of millions of dollars to ransomware operators highlights the need for data integrity and availability through testing and simulation of recovery plans.
- Streamlined security audits and penetration testing: Identifying and addressing vulnerabilities is vital, particularly as attackers exploit these weaknesses. Frequent security assessments, like Threat Analysis and Risk Assessment (TARA), can help in regulatory compliance and vulnerability remediation.
- Sound incident response planning: Rapid and coordinated incident response is essential. Regular incident response plan drills tailored to automotive systems and post-incident analyses are crucial for readiness and learning.
- Third-party and vendor risk management: Strict regulatory compliance must be enforced to secure interdependencies and shared data. Assessing and managing risks of third-party software providers and ensuring adherence to security standards are imperative.
Additional strategies include comprehensive monitoring of cyberthreats, staff and affiliate security awareness training, patch management, network segmentation, and collaborative efforts in sharing incidents and information.
Conclusion
The CDK Global ransomware attack has underscored the importance of robust cybersecurity strategies in the automotive supply chain. This incident has not only disrupted operations for thousands of car dealers but also exposed security gaps that can be exploited by cybercriminals. The dependency on third-party software like CDK’s for dealership management systems highlights the need for comprehensive security measures among automotive stakeholders, including redundancy, data backup and recovery plans, regular security audits, and effective incident response plans.
The aftermath of the CDK incident has shown the extensive impact on business operations, sales, and customer trust. The reliance on digital systems, while offering efficiency and convenience, also necessitates a proactive approach to cybersecurity. By learning from this event and implementing the recommended strategies, the automotive industry can better protect itself against similar attacks, ensuring resilience and continuity in the face of cyberthreats.