After experiencing two cyberattacks this week in which it had to take down its customer support lines and shut down most of its systems, CDK Global posted a voicemail advising that threat actors are contacting CDK customers and business partners posing as members or affiliates of CDK.
The CDK Global voicemail (855-356-3270) said the threat actors are engaging in follow-up social engineering to obtain system access and underscored the need for vigilance among its 15,000 auto dealership customers.
“Please reiterate to your employees the importance of being alert to phishing and take the necessary preventative precautions,” said the CDK voicemail. “Engage with known or validated CDK associates and do not provide sensitive information such as passwords or provide system access under any circumstances.”
Attack on CDK Global has shades of Change Healthcare breach
The dual attacks on CDK this past Tuesday and Wednesday has similar results to the Change Healthcare incident in the medical sector earlier this year in that the auto dealership industry is heavily dependent on third-party SaaS company CDK to manage its sales, payroll, and general office operations. There were many reports this week of CDK dealership customers not being able to access systems and resorting to moving paper around.
“The cyberattack on CDK Global illustrates the chain reaction that successful attacks have on businesses, third parties, and customers,” said Jamie Moles, senior technical manager at ExtraHop. “Customers experience heightened risk when third-party vendors have expansive privileges to their operational environments. Unfettered access leaves a clear pathway for attacks to have ripple effects across customer network environments, exposing their sensitive information and possibly impacting their daily operations.”
Patrick Tiquet, vice president, security and architecture at Keeper Security, added that in today’s environment, organizations and IT teams must prepare for multiple attacks, not just a single breach. Tiquet said taking systems offline as soon as a threat gets detected is a crucial first step in containment, but it’s insufficient on its own.
“Continued investigation and remediation efforts are required for CDK Global to understand and address the full impact of the breaches they have suffered,” said Tiquet. “The second attack occurring shortly after the first at CDK Global suggests a multiphase attack strategy, with attackers potentially leaving backdoors for re-entry. Unauthorized access through one entry point can lead to lateral movement, further compromising the network.”
Guy Rosenthal, vice president, product at DoControl, said the CDK Global attack highlights a critical aspect of modern cybersecurity: the potential for follow-up social-engineering tactics. Rosenthal said threat actors frequently exploit the chaos following a breach to further their agenda, often by posing as support representatives to access even more sensitive information.
“Security teams should be proactive in training their personnel and customers to recognize these tactics,” said Rosenthal. “Emphasize the importance of verifying the identity of any support personnel, especially during and after a breach. Encourage them to use known and trusted communication channels and to be suspicious of unsolicited contact.”
Rosenthal added that while specifics are sparse about the nature of the breach, the pattern of events suggests a targeted attack.
“Multiple incidents close together are characteristic of threat actors trying to maximize impact and ransom or data extortion pressure,” said Rosenthal.
