How Legacy Software Creates Vulnerabilities and Need for Innovative Cloud Solutions
July 8, 2024 - Written by Yousif Memon
I. Introduction
Whether you’re getting in your car and turning a key or pushing to start, we’re all expecting the same thing. Reliability. Our days aren’t planned around breakdowns, so why should our dealerships?
The recent CDK outages highlighted one of the biggest vulnerabilities that come with legacy SaaS software. CDK Global, a leading provider of dealership software that powers over 35% of the DMS market, experienced a series of cyberattacks that exposed outdated systems and inconsistent security practices. These are risks we associate with deferred maintenance, something inherent to legacy systems and large corporations and the source of CDK’s outage.
At the time of writing, multiple dealers are reporting that although CDK has reported that they were back online by July 4th, 2024, multiple integrations are still non-functional, even within the CDK ecosystem.
The following article covers the CDK outage timeline, the root causes, and a proposed solution.
II. Summary
DMS, or Dealer Management Software, digitizes many, if not all, day-to-day dealership activities. A DMS typically comes with a set of integrations, allowing additional functions ranging from payroll to managing a service center. When a DMS provider goes down, dealerships lose all automation and must switch to paper processes for all affected departments.
When: The initial cyberattack occurred on June 18, 2024, with a second attack following on July 19, 2024, leaving dealers locked out of CDK. The company estimated that all dealers will be able to use the Dealer Management Service by late July 3, 2024. The several products that make up the CDK ecosystem, including integrations, remain unavailable at the time of writing.
Who was affected: 15,000 dealerships using CDK Global SaaS software.
What occurred & how: Hackers exploited vulnerabilities in CDK Global’s IT infrastructure to gain access to sensitive information. The information was encrypted and held for ransom. To prevent the spread of the hack, CDK shutdown all of their systems causing significant operational disruptions.
Root Causes: The attackers, identified by Bloomberg as the BlackSuit hacker group (identified by Trend Micro as a spin-off of the Royal Ransomware group), use several types of attacks to gain access to sensitive information.
Deferred Maintenance and Outdated Systems:
A lack of corporate upkeep, what we call deferred maintenance, led to outdated software, too-easily accessible sensitive data, and under trained staff creating exploitable vulnerabilities.
In a report by CISA, the Cybersecurity and Infrastructure Security Agency, recommends that all software manufacturers implement “secure-by-design and -default principles and tactics” into their development style to prevent ransomware attacks.
Phishing Attacks:
In the same report, CISA saw phishing attacks playing the number one role in ransomware incidents. 66.7% of cases involved gaining access to victim networks from phishing emails, highlighting a lapse in the human layer of security. It’s believed the hackers gained initial access, for both attacks, from phishing emails.
The second wave of phishing attacks impacted dealers directly, as attackers used phishing emails and phone calls to gain unauthorized access to dealership networks. Attackers posed as CDK support representatives, exploiting the chaos to gain access to information stored on dealership networks.
Inconsistent Security Practices:
The company's inconsistent security measures, most notably irregular audits, weakened overall security.
III. The Breach
On June 18, 2024, CDK Global, a major provider of dealership software, experienced a significant ransomware attack. Hackers exploited vulnerabilities in CDK's IT infrastructure, leading to the encryption of critical systems and a demand for ransom to restore access. This initial attack caused widespread operational disruptions, preventing thousands of car dealerships from processing sales, servicing vehicles, and managing inventory effectively.
Just as CDK Global was beginning to process the initial attack, a secondary breach happened on June 19, 2024. This secondary attack further disrupted recovery efforts and exposed additional weaknesses in CDK Global's incident response and recovery plans. The secondary breach highlighted potential flaws in their ability to manage and mitigate ongoing cyber threats effectively.
Following these breaches, cyberattackers launched phishing attacks targeting CDK Global’s customers. These attackers posed as CDK support representatives, attempting to gain unauthorized access to systems by exploiting the chaos caused by the initial and secondary breaches. Customers received phone calls and emails from threat actors impersonating CDK associates, trying to deceive them into providing sensitive information or system access. This tactic is a common follow-up to high-profile cyber incidents, where attackers exploit the disrupted communication channels to further infiltrate systems.
IV. Consequences of the Breach
The cyberattacks on CDK Global in June 2024 had significant real-world impacts, affecting both operational efficiency and financial performance across thousands of car dealerships in North America.
Operational Disruptions: The attacks forced CDK Global to shut down most of its systems, which impacted over 15,000 car dealerships. This resulted in dealerships being unable to access critical applications for sales, financing, and service operations. Many dealerships had to resort to manual processes, such as handling sales and service transactions with pen and paper, which significantly slowed down their operations and led to customer dissatisfaction.
Financial Losses: The financial impact of the cyberattacks was substantial. It was reported that the disruptions led to millions of dollars in delayed transactions. Tom Maoli, President and CEO of Celebrity Motor Car, highlighted that the financial backlog across the country due to the attack could be in the billions of dollars. The attack is projected to have reduced auto dealership sales in June by around 100,000 vehicles, or over 7%, compared to June 2023.
Decline in Customer Satisfaction: The operational disruptions and slower transaction processes led to a decline in customer satisfaction. Dealerships faced significant delays in servicing vehicles and processing sales, which frustrated customers and eroded trust. This decline in service quality and speed during one of the busiest times of the year for dealerships was particularly damaging.
V. Deferred Maintenance and Legacy Systems: The Root Cause
The cyberattacks on CDK Global in June 2024 exposed significant vulnerabilities within the company’s IT infrastructure. The root causes of these vulnerabilities were primarily deferred maintenance, reliance on legacy systems, issues related to their always-on VPN configuration, and the complications arising from the acquisition of various startups and companies. Understanding these factors is essential for preventing similar incidents in the future.
Legacy Systems & Impact of Acquisitions
CDK Global relied heavily on legacy systems that lacked modern security features. Legacy systems are often more difficult to integrate with current technologies and do not support the latest security protocols. This reliance on outdated technology further weakened CDK Global’s defenses, making it easier for cybercriminals to breach their systems. The company's infrastructure did not keep pace with evolving cybersecurity threats, creating significant vulnerabilities that attackers could exploit.
CDK Global’s acquisition of various startups and companies also played a role. Integrating new acquisitions often introduces complexities, especially when the acquired companies use different technologies. These integrations can strain existing IT resources and delay necessary updates, security patches, and team training, further exacerbating the vulnerabilities. The diverse and sometimes incompatible IT environments resulting from these acquisitions made it challenging to maintain consistent security standards across the organization.
Always-On VPN Vulnerability
The always-on VPN configuration at CDK Global, intended to provide continuous secure access to their network, inadvertently became a critical vulnerability during the cyberattacks. Always-on VPNs maintain a persistent connection between a user’s device and the corporate network, which can be exploited if there are any vulnerabilities or lapses in the VPN software or network. CDK recommended that all customers disconnect from the VPN to prevent potential spread of the cyberattack.
VI. The Case for Pacer: A Cloud-Based Solution
The cyberattacks on CDK Global have highlighted the urgent need for future-proof cybersecurity measures, proactive IT maintenance, and modernized systems. Pacer’s cloud-based dealership management solution is specifically designed to address these critical vulnerabilities and provide a secure, efficient, and resilient platform for dealerships. Here’s how Pacer addresses the issues exposed by the CDK Global cyberattacks:
Proactive IT Maintenance and Regular Updates
Pacer’s cloud-based platform ensures that all systems are continuously updated with the latest security patches and software updates. This automatic maintenance eliminates the risk associated with deferred maintenance and unpatched vulnerabilities. By ensuring that systems are always up-to-date, Pacer provides continuous protection against emerging threats and reduces the risk of cyberattacks.
Modernized Systems and Legacy System Replacement
Pacer’s solution offers advanced compatibility and integration capabilities, allowing dealerships to move away from outdated legacy systems, enhancing both security and operational efficiency. This reduces the vulnerabilities associated with legacy systems and ensures that dealerships can leverage the most current and secure technologies available. The consistent updates and maintenance provided by Pacer ensure that all systems remain secure and efficient, addressing the issues of deferred maintenance and legacy systems.
Enhanced Security Measures Against Phishing Attacks
To combat phishing attacks, Pacer incorporates secure-by-design development philosophy from the ground up. We own the product in its entirety, which means we get to make good choices from the beginning. The platform itself uses multi-factor authentication (MFA), and can be paired with Dune’s AI-driven threat detection to identify and block phishing attempts before they can cause harm. More on that in the next section.
Centralized Security Management
Pacer’s cloud-based solution offers centralized security management, enabling consistent and comprehensive security policies across the entire organization. This centralized approach reduces the complexity of managing multiple, disparate systems and ensures uniform protection standards. Centralized management also facilitates regular security audits and compliance with industry standards, further strengthening the organization’s security posture.
Robust Data Protection and Disaster Recovery
Pacer implements stringent data protection measures, including encryption, secure backup, and disaster recovery solutions. These measures ensure that data remains secure and accessible even in the event of a cyberattack or system failure. Regular backups and robust disaster recovery plans allow for quick restoration of operations, minimizing downtime and financial loss.
VII. Pacer is Partnering with Dune Security: Enhancing Our Cloud Solution
In light of the CDK Global breach, our team decided that digital trust and security was now the number one priority as we scale. By partnering with Dune Security, we are able to effectively quantify employee risk using comprehensive input source data. Dune’s AI-powered platform automatically remediates identified risks through user-adaptive training and intervention, ensuring that our employees receive personalized and timely security awareness education. For our highest-risk users, Dune seamlessly integrates with our existing systems to dynamically implement enhanced security controls, providing an additional layer of protection. This collaboration not only enhances our cybersecurity posture but also fosters a culture of continuous learning and vigilance among our workforce. Through this proactive approach, we are transforming potential vulnerabilities into strengths, significantly reducing our overall risk and safeguarding our organization from sophisticated social engineering threats.
VIII. Introducing Pacer's All-In-One Dealership Solution
In the wake of the CDK Global cyberattacks, the need for a secure, efficient, and resilient dealership management solution has never been more critical. Pacer’s all-in-one cloud-based platform addresses these challenges head-on, offering an integrated solution that enhances security, streamlines operations, and ensures business continuity.
Streamlined Operations
Pacer’s all-in-one platform simplifies dealership management by integrating common functionalities into a single, simple system. From sales and financing to home delivery, Pacer provides a seamless experience that enhances operational efficiency by reduces the complexity of running a dealership.
Pacer is Digital Safety for Dealers
To safeguard dealerships who may have suffered from the CDK hack, we can leverage Pacer’s existing capabilities and expand with additional security-focused features. Here’s how:
Secure Fund Transfers and Escrow
Pacer already offers secure fund transfers and payment escrow services, ensuring that payments are protected against fraud and mismanagement. These services add a layer of security to financial transactions, safeguarding dealership funds.
Digital Document Management
Pacer’s ability to digitize documents and provide secure, easy-to-access records helps dealerships maintain the integrity and security of their paperwork. This digital transformation ensures that sensitive documents are protected against unauthorized access and tampering.
Identity Verification and Risk Scoring
Implementing fast ID verification, bank balance checks, and risk scoring ensures that only verified individuals can access sensitive dealership systems and data. These measures prevent unauthorized access and enhance overall security.
eNotary Services
The use of eNotary services secures the signing process, ensuring documents are authenticated and tamper-proof. This feature adds another layer of security to document management and transactions.
Modular Integration
Pacer’s platform is designed to integrate seamlessly with existing dealer management systems (DMS) and other tools, ensuring a smooth transition and minimizing disruption to dealership operations. This flexibility ensures that dealerships can adopt Pacer’s solutions without operational hiccups.
Enhanced Cybersecurity Measures
Two-Factor Authentication (2FA): Implementing 2FA for all dealership staff accessing the system will prevent unauthorized access.
Regular Security Audits: Periodic security audits identify and fix vulnerabilities in dealership systems.
Incident Response and Recovery
Data Backup and Recovery Solutions: Dealership data is backed up regularly and can be quickly restored in case of a breach.
Incident Response Team: Access to a dedicated team that can assist dealerships in responding to security incidents swiftly.
Employee Training Programs
Cybersecurity Training with Dune: Offering regular training sessions for dealership employees to recognize phishing attempts, malware, and other cyber threats.Dune also provides resources and guidelines for dealerships to follow best practices in cybersecurity.
Advanced Fraud Detection
Machine Learning: Detects unusual patterns and behaviors that may indicate fraudulent activities.
Real-Time Alerts: Alerts to notify dealerships of any suspicious activities on their network or systems.
By leveraging Pacer’s existing capabilities and expanding with Dune’s additional security-focused features, we can ensure that dealerships are well-protected against current and future cyber threats.
IX. Conclusion
The recent cyberattacks on CDK Global highlight the need for a modern, secure dealership solution. By transitioning to Pacer’s cloud-based platform, enhanced by Dune Security’s expertise, dealerships can mitigate risks and ensure operational continuity.
We encourage dealerships to consider transitioning to modern, cloud-based systems that offer robust security, improved efficiency, and comprehensive data protection. Pacer’s all-in-one solution, enhanced by Dune Security, is the optimal choice for forward-thinking dealerships.