• Stop being a LURKER - join our dealer community and get involved. Sign up and start a conversation.

Should CDK Pay the Cyber Ransom?

Jump to latest Follow Reply
U

Un Named Cox Employee

May 16, 2023
2
3
Awards
2
First Name
John
#1
CDK is yet another company of the cyber ransomware attacks. What are these attacks and what can CDK do? If you are not prepared, i.e. you have your entire system backed up on unconnected servers and physical copies in a safe, which you can then completely wipe all of your computers clean, essentially puttin them into the state when they were bought, and then load your back up code then you have no choice but to pay the ransom.

What is a ransomware attack? This is not a high tech attack. These are likely Americans who have purchased Russian developed Ransomware. They call into CDK's help desk and trick the technician to giving them a new user name and password. Once in they install the ransomware which quite simply locks all of the files on everyone at CDKs computers. It encrypts the files with PGP encryption. This is the same encryption that Bitcoin uses. It is uncrackable. You have two choices. 1. Wipe your compter clean. 2. Pay the ransom. So far there does seem to be some honor among thieves. MGM refused to pay the Ransom and was down for over 10 days losing over 100 million in revenue. Ceasars paid $15 million right away and experienced no loss in service.

As a dealer what can you do? First any dealer group should use a two party system whenever resetting passwords. Ensure the caller is accompanied by a caller with a working user name and password. Second you need to have everything physically backed up in a hard drive not physically connected to everything. It should be backed up daily. This way if this does happen to you which is now mitigated but can never be eliminated will leave you with no reservations about completely wiping out all of the computers and reinstalling from yesterdays back up.
 
Dominion DMS
#2
Over all I agree with what you are saying and in many cases have air gapped backups is a great thing to have.

But let's play the Fix It Again Tony game.
My door locks stopped working.
Tech fixed them. But didn't check the dom light when unlocking the doors.
Tech fixed the BCM, But didn't check what else might have blown like my turn signal light.

How does this relate?

Well, we don't know exactly when the issue started because I thought my locks were actually working (beep beep). Even if I pulled the dook know the doors will open. The Tech? Well, he gets a pass the first time because most likely you wouldn't notice because the bay is bright. Second time, he should have run full check.

So, in the CDK software case:
All those backups could have been bad for months. The ransomware company was probably busy downloading as much of your data as possible before demanding payment. But yes! a clean install is likely the only option.

To prevent this a CDK from happening:
developers should be testing, testing, testing (we have lots of diagnostic tools that can help with currently known flaws and threats).
We have special teams that do Quality Assurance testing (a dealership should consider this as part of their service repairs)
Companies should be investing in tech dept and staying on top of all upcoming updates.
Employee training on social engineering and phishing.
Proper security roles for all employees (as Cox said above - use 2 factor)
 
#4
A tale of two hacking victims...

Caesars
$30 million ransomware demand.
Negotiated it down to $15 million and paid.
The hackers kept their promise, and Caesars suffered minimal downtime.

MGM
Hacked by the same group a week later.
They followed the FBI's advice and refused to pay the requested ransom (amount unknown).
As a result, MGM suffered a $110 million loss during a 10-day shutdown.

A bit of napkin math—assuming a similar-sized ransom could be negotiated: $15 million divided by CDK’s 30,000 dealerships comes out to $500 per dealership.

And CDK just so happens to know some of the best negotiators in the world...car dealers
 
  • Like
Reactions: Matt Holman, DrewAment and Alex Snyder
#5
Carsten said:
Over all I agree with what you are saying and in many cases have air gapped backups is a great thing to have.

But let's play the Fix It Again Tony game.
My door locks stopped working.
Tech fixed them. But didn't check the dom light when unlocking the doors.
Tech fixed the BCM, But didn't check what else might have blown like my turn signal light.

How does this relate?

Well, we don't know exactly when the issue started because I thought my locks were actually working (beep beep). Even if I pulled the dook know the doors will open. The Tech? Well, he gets a pass the first time because most likely you wouldn't notice because the bay is bright. Second time, he should have run full check.

So, in the CDK software case:
All those backups could have been bad for months. The ransomware company was probably busy downloading as much of your data as possible before demanding payment. But yes! a clean install is likely the only option.

To prevent this a CDK from happening:
developers should be testing, testing, testing (we have lots of diagnostic tools that can help with currently known flaws and threats).
We have special teams that do Quality Assurance testing (a dealership should consider this as part of their service repairs)
Companies should be investing in tech dept and staying on top of all upcoming updates.
Employee training on social engineering and phishing.
Proper security roles for all employees (as Cox said above - use 2 factor)
Click to expand...
And I agree too. I have heard of bad actors having access to a large company's system and doing nothing for 2 years. That's a crazy long time to wait. But I think #1) That's the longest I've ever heard. #2) If you backup nightly on 30 different hard drives, with the testing you describe above, you should detect them in that time easily and be ready to reset your computers and upload to the right back up. Ceasars kind of had to do that anyway. They had to pay, back up an infected system, find the ransomware and remove it, and then upload it. That's a lot of pressure. And if you're whole company is accounting software which is what CDK is, then you have to be back up in 4 hours. Put that together with lot's of education, the multifactor, and even for password resets, a buddy system I think it's worth it. My kids school was hit last month. Highschool. Pay $2 million or all the kids transcripts, every class, grade, picture, in school history gone. Of course they paid. But how many more wake up calls are needed?
 
  • Like
Reactions: Carsten
#6
Over the past year, I have been spending a lot of time with my security team.
I have been pen-testing using an outside pentester.
Watching reaction times, how they breach, and what they can do afterward.
Backups are just something to help in case. They are not my solution.

Companies like CDK should have great security. Unfortunately, they don't do independent testing. MY old MSP I thought we did a great job on cyber security. Then I worked with my last security company and thought they did a good job, again I was wrong. Once I started having separate companies test one another I got to see the difference. They would show me as the pwned computers. While I'm watching my EDR console and waiting for my SOC to call or start alerting me. It was eye-opening. 3 hours into the test they called. By this time they had half the computers.

The scale that CDK got hit for is scary. For a company that has cyber security all over its website is just checking the boxes like so many. They might have the tools but if they don't know how to use them they are basically useless
 
  • Like
Reactions: Carsten and Tallcool1
#7
DealerITperson said:
Over the past year, I have been spending a lot of time with my security team.
I have been pen-testing using an outside pentester.
Watching reaction times, how they breach, and what they can do afterward.
Backups are just something to help in case. They are not my solution.

Companies like CDK should have great security. Unfortunately, they don't do independent testing. MY old MSP I thought we did a great job on cyber security. Then I worked with my last security company and thought they did a good job, again I was wrong. Once I started having separate companies test one another I got to see the difference. They would show me as the pwned computers. While I'm watching my EDR console and waiting for my SOC to call or start alerting me. It was eye-opening. 3 hours into the test they called. By this time they had half the computers.

The scale that CDK got hit for is scary. For a company that has cyber security all over its website is just checking the boxes like so many. They might have the tools but if they don't know how to use them they are basically useless
Click to expand...
I believe the best way to truly stress a system is a Bug Bounty Program. Yes the cost is high, as is the value. Who better to test a system than the people that have the ability to hack it if they want to. Trust would be a problem for me. If they get in and start poking around, next thing I know they decide that the $1,500 bounty is pretty insignificant compared to what they could probably get me to pay!
 
  • Like
Reactions: Carsten
#8
If you advertise security and I see a link like this:

Code: 
https://www.eleadcrm.com/evo2/fresh/login.asp

This part right here: .asp
I don't use ASP or .Net.
I do know that .Net for a while was a decent framework to consider.
.ASP on the other hand ... screams hack me.


Chatgpt help:
.asp was last widely used in 2002.

it also had this to share;

Conclusion:​

While classic ASP is not part of the modern .NET framework, it can still run on modern servers alongside ASP.NET applications via IIS. However, due to security, performance, and support considerations, it is generally recommended to migrate legacy ASP applications to ASP.NET or newer technologies within the .NET ecosystem.

I forgot who said that CDK code was something like 14 years old.
That's still 10 years shy of .asp hay day.
 
#9
So many companies and people for that matter are reactive, not proactive.
You will not catch everything but look now and then with fresh eyes.

Speaking with a colleague, they are at one of the credit bureaus. Their CISO was fresh out of school and didn't know how networking and security worked together. Amazing, how these people are running security for major companies.
 
Top Bottom
Back
Jump to latest Follow Reply
Jump to latest Follow Reply
Menu