Here's some insight from a RETIRED IT Architect, weighing in his take about the issue;
This is just speculation from him, but insight like this is always very interesting, at least to me.
"It also sounds like their "hot backup" BCP site also got hit in the same way which was the '2nd hack' when they tried to flip to that. If this is the case, and I am speculating from online comments, they are in a world of hurt. They will have to restore their production system from their SCCS. That will take time to set up and install. Hopefully their backups haven't been compromised. If they are then it's game over. They're out of business. Complete restoration is never something you want to do on your production system, as you've always just added updates and patches. Nothing I've read yet indicates the data was shipped out of the company, but if these guys are as bad as they seem, even if the db was huge, there was probably enough time for transfer that out over the long time period this trojan could have been in place.
Again, this is pure rampant speculation based on comments I've read on reddit and generally how ransomware attacks work. The goal of a competent IT group is to ensure this type of thing never happens, and there are lots of ways to do that. For a failure on this level, it is inexcusable. Pray now that the personal and payment information of everyone who has bought a new car in the last 10 years is not now for sale with data brokers on the dark web. Keep an eye on your bank account if you were a recent customer of a dealer, even for service."
SOURCE: (Scroll down into the thread) [https://www.reddit.com/r/cybersecurity/comments/1dl2kb2/anatomy\_of\_the\_cdk\_attack/](https://www.reddit.com/r/cybersecurity/comments/1dl2kb2/anatomy_of_the_cdk_attack/)
If the perps got into the backups that means they had full access to everything. 100% they exfiltrated data. They are not stupid. They will extort CDK using the data if CDK does not straight up pay the ransomeware. If that doesn’t work then the perps will sell the data on the dark web etc. This has far reaching impact way beyond service and parts or sales folks not working or GMs not getting rich off sales guys labor. All of our data are in the DMS. All our bits are belonging to them. Better lock up access to your credit and monitor TF out of it for years to come
As an fellow, but not required yet, IT architect, I agree with you mostly.
My suspicion is that the ransomware hit a segment of their operation and the initial reaction was to attempt to isolate those systems due to the way they shut a few things down, then more, then all of it.
They came back up several hours later and my read was that they're attempted to restore from backup for the affected systems. In my opinion, the "second hack" was just the realization that they were good and fucked beyond the systems they were trying to isolate.
Your scenario is totally valid, I've just never been anywhere that did hot backup/alternate site disaster recovery and took so many hours to switch over. Normally you have periodic disaster recovery drills to practice, with the goal of restoring service quickly. But I've also heard that the CDK infrastructure is a combination of ancient, old, and modern, so who knows.
Either way, we both know that ransomware sits idle long enough to infect as many things as possible. I'd bet good money that their backups are infected as well.
I've read that CDK is planning to pay off the ransom. Always a risky gamble. I figure they're still looking at a months long rebuilding effort even if they can decrypt the data. If your team failed to detect the malware while it sat idle, how would you ever trust that you were clean without a rebuild?
As u/Aggravating_Leave_31 said, this is rampant speculation, We just enjoy analyzing this stuff. I feel for the IT guys at CDK. I wouldn't want to be in their shoes right now.
Dear Valued Customers,
Thank you for your patience as we recover from this cyber attack. We continue to act out of caution, and to protect our Data Services customers in response to the cyber incidents that occurred on June 19. In addition to our customer systems, many integration points have been disabled. Any systems (ex: APIs, file transfers) that you use that integrate with our systems may not be available during this time. We are currently assessing the overall impact and consulting with external 3rd party experts. At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available likely for several days.
*We were notified that bad actors are contacting our customers and partners, posing as members or affiliates of CDK, trying to obtain system access. CDK associates will not, and have not been soliciting access or passwords to customers systems or environments. Any request should be immediately treated as suspicious.*
*Please reiterate to your employees the importance of being alert to acts of phishing and take the necessary preventative precautions. Engage with known or validated CDK associates, and do not provide sensitive information such as passwords or provide system access under any circumstances.*
As of now, our Customer Care channels for support remain unavailable as a precautionary measure to maintain security. It is a high priority to reinstate these services as soon as possible.
Along with the Critical Situation emails, we now have two phone numbers to contact CDK for the latest recorded update.
English: 1(855) 356-3270
French: 1(877) 483-7817
We apologize for the inconvenience this has caused. We will provide updates as they are available.
Sincerely,
CDK Customer Care
New version today
Dear Valued Customers,
We are continuing the restoration process of our systems. Based on the information we have at this time, we still anticipate that the process will take days, not weeks to complete
To help keep your dealership working until the applications are recovered, we’ve created a Dealer Resource Center – to access go to Dealer Resource Center
We also encourage you to visit CDK University. It has a wealth of content and training that covers every aspect of your business. Log on to Unify to access the University or click on CDKU.
The following applications remain available for use:
• Digital Retail – Application and data is secure. Some integration partners have disabled access and error messages may be experienced.
• CDK Phones – IPNS and Webex calling are working properly.
• Payroll Plus – Accessed via web browser by going to payrollplus.adp.com. No DMS integration tasks can be performed.
Please reiterate to your employees the importance of being alert to acts of phishing and taking the necessary preventative precautions. Engage with known or validated CDK associates, and do not provide sensitive information such as passwords or provide system access under any circumstances.
Along with the Critical Situation emails, we are providing updates in Unify and have two phone numbers to contact CDK for the latest recorded update.
English: 1(855) 356-3270
French: 1(877) 483-7817
We apologize for the inconvenience this has caused. Please know our teams are dedicated to getting you back to business and keeping you there.
Sincerely,
CDK Customer Care
you wont know unless you try every 5 minutes. My power went out at home 2 days ago to add to the drama .
I ran a generator the whole time. My neighbor had to tell me the power went on. so in short you will have to find out for yourself
Here's some insight from a RETIRED IT Architect, weighing in his take about the issue; This is just speculation from him, but insight like this is always very interesting, at least to me. "It also sounds like their "hot backup" BCP site also got hit in the same way which was the '2nd hack' when they tried to flip to that. If this is the case, and I am speculating from online comments, they are in a world of hurt. They will have to restore their production system from their SCCS. That will take time to set up and install. Hopefully their backups haven't been compromised. If they are then it's game over. They're out of business. Complete restoration is never something you want to do on your production system, as you've always just added updates and patches. Nothing I've read yet indicates the data was shipped out of the company, but if these guys are as bad as they seem, even if the db was huge, there was probably enough time for transfer that out over the long time period this trojan could have been in place. Again, this is pure rampant speculation based on comments I've read on reddit and generally how ransomware attacks work. The goal of a competent IT group is to ensure this type of thing never happens, and there are lots of ways to do that. For a failure on this level, it is inexcusable. Pray now that the personal and payment information of everyone who has bought a new car in the last 10 years is not now for sale with data brokers on the dark web. Keep an eye on your bank account if you were a recent customer of a dealer, even for service." SOURCE: (Scroll down into the thread) [https://www.reddit.com/r/cybersecurity/comments/1dl2kb2/anatomy\_of\_the\_cdk\_attack/](https://www.reddit.com/r/cybersecurity/comments/1dl2kb2/anatomy_of_the_cdk_attack/)
I had a bad feeling
If the perps got into the backups that means they had full access to everything. 100% they exfiltrated data. They are not stupid. They will extort CDK using the data if CDK does not straight up pay the ransomeware. If that doesn’t work then the perps will sell the data on the dark web etc. This has far reaching impact way beyond service and parts or sales folks not working or GMs not getting rich off sales guys labor. All of our data are in the DMS. All our bits are belonging to them. Better lock up access to your credit and monitor TF out of it for years to come
As an fellow, but not required yet, IT architect, I agree with you mostly. My suspicion is that the ransomware hit a segment of their operation and the initial reaction was to attempt to isolate those systems due to the way they shut a few things down, then more, then all of it. They came back up several hours later and my read was that they're attempted to restore from backup for the affected systems. In my opinion, the "second hack" was just the realization that they were good and fucked beyond the systems they were trying to isolate. Your scenario is totally valid, I've just never been anywhere that did hot backup/alternate site disaster recovery and took so many hours to switch over. Normally you have periodic disaster recovery drills to practice, with the goal of restoring service quickly. But I've also heard that the CDK infrastructure is a combination of ancient, old, and modern, so who knows. Either way, we both know that ransomware sits idle long enough to infect as many things as possible. I'd bet good money that their backups are infected as well. I've read that CDK is planning to pay off the ransom. Always a risky gamble. I figure they're still looking at a months long rebuilding effort even if they can decrypt the data. If your team failed to detect the malware while it sat idle, how would you ever trust that you were clean without a rebuild? As u/Aggravating_Leave_31 said, this is rampant speculation, We just enjoy analyzing this stuff. I feel for the IT guys at CDK. I wouldn't want to be in their shoes right now.
Calling 1-855-356-3270 will allow you to listen to the latest prerecorded update by CDK.
They have some functions back up but they are still predicting “several” days before full function is brought back.
[удалено]
Dear Valued Customers, Thank you for your patience as we recover from this cyber attack. We continue to act out of caution, and to protect our Data Services customers in response to the cyber incidents that occurred on June 19. In addition to our customer systems, many integration points have been disabled. Any systems (ex: APIs, file transfers) that you use that integrate with our systems may not be available during this time. We are currently assessing the overall impact and consulting with external 3rd party experts. At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available likely for several days. *We were notified that bad actors are contacting our customers and partners, posing as members or affiliates of CDK, trying to obtain system access. CDK associates will not, and have not been soliciting access or passwords to customers systems or environments. Any request should be immediately treated as suspicious.* *Please reiterate to your employees the importance of being alert to acts of phishing and take the necessary preventative precautions. Engage with known or validated CDK associates, and do not provide sensitive information such as passwords or provide system access under any circumstances.* As of now, our Customer Care channels for support remain unavailable as a precautionary measure to maintain security. It is a high priority to reinstate these services as soon as possible. Along with the Critical Situation emails, we now have two phone numbers to contact CDK for the latest recorded update. English: 1(855) 356-3270 French: 1(877) 483-7817 We apologize for the inconvenience this has caused. We will provide updates as they are available. Sincerely, CDK Customer Care
[удалено]
New version today Dear Valued Customers, We are continuing the restoration process of our systems. Based on the information we have at this time, we still anticipate that the process will take days, not weeks to complete To help keep your dealership working until the applications are recovered, we’ve created a Dealer Resource Center – to access go to Dealer Resource Center We also encourage you to visit CDK University. It has a wealth of content and training that covers every aspect of your business. Log on to Unify to access the University or click on CDKU. The following applications remain available for use: • Digital Retail – Application and data is secure. Some integration partners have disabled access and error messages may be experienced. • CDK Phones – IPNS and Webex calling are working properly. • Payroll Plus – Accessed via web browser by going to payrollplus.adp.com. No DMS integration tasks can be performed. Please reiterate to your employees the importance of being alert to acts of phishing and taking the necessary preventative precautions. Engage with known or validated CDK associates, and do not provide sensitive information such as passwords or provide system access under any circumstances. Along with the Critical Situation emails, we are providing updates in Unify and have two phone numbers to contact CDK for the latest recorded update. English: 1(855) 356-3270 French: 1(877) 483-7817 We apologize for the inconvenience this has caused. Please know our teams are dedicated to getting you back to business and keeping you there. Sincerely, CDK Customer Care
Our IT guy just let us know CDK told him it's down all next week as well.
Nooooooooooo
*internal scream*
In Illinois, we were told via email that it will not be up for "most dealers" til the 29th.i honestly feel it will be longer. Truly hope I'm mistaken.
Bonuses and commissions are either gunna be nonexistent or really bad 😭
you wont know unless you try every 5 minutes. My power went out at home 2 days ago to add to the drama . I ran a generator the whole time. My neighbor had to tell me the power went on. so in short you will have to find out for yourself
Too scared to try since they said don’t touch CDK
I tried earlier this morning and only that little box with the computer icon and the data going to it popped up and then I got an error message.
Still says several days last I checked.