Ransomware Attack on CDK Global Cripples US Automotive Dealerships

CDK Global Ransomware Attack

• June 26, 2024

  CDK Global announces that outages will continue through June 30.

• June 24, 2024

  Reuters reports hacking group, BlackSuit, the new rebranding of the Royal Ransomware operation, is behind the cyberattack on CDK Global according to an intelligence analyst at security firm Recorded Future. Royal Ransomware is known to have deep ties to the infamous Conti cybercrime syndicate comprised of Russian and Eastern European threat actors.

• July 21, 2024

  CDK warns that threat actors are calling customers, posing as CDK support agents or affiliates to gain unauthorized systems access.

• July 19, 2024

  CDK Global suffered an additional breach while recovering from the first cyberattack causing the company to shut down its systems again just as it was starting to recover.

• May 2020

  CDK Global, a software vendor in the U.S. that provides applications and services for the automotive industry, becomes aware of a ransomware attack infecting over 15,000 dealer locations across North America. The vendor was forced to take many of its core systems offline.

A cyberattack on a major software provider for the automotive industry has severely disrupted the operations of thousands of car dealerships. CDK Global provides clients in the auto industry a SaaS platform that handles all aspects of a car dealership’s operation, including CRM, financing, payroll, support and service, inventory, and back-office operations. According to its website, CDK serves over 15,000 dealer locations in North America, all of which were impacted by the ransomware infection.

The cyberattack has caused massive outages since June 18, and CNN reported that CDK Global informed some customers their systems could be down for several more days due to setbacks in recovery efforts. Adding to the chaos, CDK was hit by a second attack on June 19 just as it was starting to recover. These disruptions have forced the entire auto dealership industry to revert to paper-based systems to continue operations. Moreover, this attack is causing havoc across the country like the UnitedHealth systems breach. Bloomberg reported that CDK’s parent company, Brookfield Business Partners LP, experienced its most significant single-day trading decline since October, with shares plummeting 5.7%. The impact continues to linger.

On June 24, prominent news sites like Reuters and Bloomberg reported that the attack on CDK Global was orchestrated by the BlackSuit ransomware gang, who have demanded tens of millions of dollars in ransom. Currently, there are no indications on the BlackSuit gang’s Tor site that CDK Global’s data is up for auction or publicly available. This suggests that negotiations between CDK Global and the attackers are ongoing. An attempt to bring the systems online on July 19th failed miserably when CDK was subjected to another cyber incident. DarkReading reported that CDK has not disclosed further details about the second attack beyond stating that it forced the company to shut down most systems and take them offline.

Market research firm Cox Automotive said the impact of the attack could be far less than feared, and that most of the sales would likely bounce back in July. According to filings submitted to the Securities and Exchange Commission (SEC), several companies affected by the attack reported that CDK had informed them it would take several days — but likely weeks — to restore its systems.

Among those impacted were AutoNation, a leading auto retailer in the U.S. Penske, Group 1 Automotive, and Peer Lithia Motors, all of whom said that the outage was disruptive and had adversely impacted is business and ability for buyers to purchase vehicles. These companies rely on CDK’s software for managing various aspects of their dealership operations, including vehicle sales, inventory management, and customer relations.

USA Today reported that an employee of a New York car dealership said operations are almost entirely paralyzed due to the outage. The people who handle all the DMV tasks have already been sent home. They added that dealers don’t have access to their customer database, making it difficult to reach out to potential buyers. Other major dealerships like Village Ford in Dearborn, Michigan said the outage had not dampened sales. CDK Global has not informed dealers of when restoration will fully occur, and in the meantime, affected dealers are conducting most tasks with paper and pen.

Tom Maoli, owner of Celebrity Motor Car Company, which operates five luxury car dealerships across New York and New Jersey, informed CBS MoneyWatch on Monday that all tasks are currently being managed manually by his employees. However, finalizing funding is challenging due to the link between banking operations and CDK.

This cyberattack on CDK Global holds significant importance due to its broad implications across the automotive industry and beyond. CDK’s software underpins critical functions within the automotive sector, contributing to approximately 2.6% of the GDP (i.e. around 500 billion USD). CDK’s software facilitates essential dealership operations, including sales lead generation, customer engagement, trade-ins, auto financing, and vehicle registration. The disruption caused by the attack has forced many dealerships, supported by CDK, to revert to manual processes, impacting their ability to conduct business efficiently.

The widespread adoption of CDK’s software extends to some of the world’s largest automakers, such as General Motors Co., Ford Motor Co., Volkswagen AG, Mercedes-Benz Group AG, and BMW AG, whose dealerships rely heavily on CDK for operational support. The attack has potentially disrupted these automakers’ dealer networks, affecting sales operations, customer interactions, and overall business continuity.

Given the scale and importance of CDK Global operations within the automotive industry and its economic impact, the cyberattack raises concerns not only for the affected companies but also for the broader economy and consumer confidence in U.S. automotive services.

The implications of this attack are far-reaching within the automotive industry. Cox Automotive, responsible for Dealertrack and VinSolutions, halted system integration with CDK as a precautionary step to safeguard client security. There are indications that Cox Automotive itself may have been affected by a ransomware attack, further complicating the disruption across the industry.

The attack disrupted operations at approximately 15,000 automotive dealers nationwide, leading many to revert to paper forms and manual processes for their daily operations. Companies affected by the attack, including Penske, Group 1 Automotive, and Lithia Motors, disclosed in filings with the Securities and Exchange Commission (SEC) that CDK had notified them of the need for several days—though likely weeks—to restore its systems and stopped using CDK global.

According to CNN, the financial fallout from the attack is expected to be prolonged. “The financial impact it will directly have on us will take months to correct if not years,” stated Callahan, a sales manager at a Mazda dealership in Seekonk, Massachusetts. This underscores the extensive and enduring challenges faced by dealerships and industry stakeholders in recovering from such cyber incidents.

These attacks not only jeopardize dealership operations but also expose sensitive customer information, making individuals more vulnerable to identity theft and fraud. Given CDK’s role as a custodian of extensive user data, the potential for such information to be exploited by cybercriminals underscores the urgent need for robust cybersecurity measures across the automotive industry.

Moreover, the challenges CDK faces in effectively responding to these incidents, including reports of impersonation attempts by threat actors to gain authorized access, only serve to highlight gaps in cyber readiness and preparation as well as incident response and security protocols. This situation not only affects CDK but also resonates across the automotive industry, potentially affecting customer trust and industry-wide cybersecurity standards.

In addition to the operational and financial impact, the company is now facing potential lawsuits following the cyber incidents. These legal actions state that the auto software company neglected to safeguard private information and will likely lead to a class-action lawsuit, which has already been filed in the U.S. District Court in the Northern District of Illinois.

Negotiations involving ransom demands in the tens of millions further compound these challenges, diverting CDK financial resources that could otherwise be allocated to enhancing cyber defenses and mitigating future risks. The convergence of legal liabilities and substantial ransom negotiations underscores the urgent need for CDK and similar entities in the automotive industry to fortify their cybersecurity frameworks.

Bleepingcomputer reported that CDK’s systems were infected late on June 18 and the attack caused CDK to take its two data centers offline at approximately 2 a.m. Eastern Time on June 19, which would have been a busy day for dealers due to the Juneteenth national holiday. The company informed its customers that it had experienced a cyber incident and had shut down most of its systems. Bloomberg reported that the BlackSuit ransomware gang was behind the attack on CDK Global. However, there is no information on how they infiltrated CDK Global’s systems.

BlackSuit, which emerged in May 2023, is thought to be a rebranding of the Royal Ransomware operation. Royal Ransomware, and consequently, BlackSuit, is considered the direct heir to the infamous Conti cybercrime syndicate, a well-organized gang of Russian and Eastern European threat actors. In June 2023, the Royal Ransomware operation started evaluating a new encryptor named BlackSuit amidst rumors of a planning rebranding. Following their attack on the City of Dallas, Texas, attack under the royal name vanished, and the threat actors now operate under the BlackSuit moniker.

This group uses multi-pronged extortion tactics, encrypting and exfiltrating victim data, and hosting public data leak sites for those who fail to comply with their demands. BlackSuit can target both Windows and Linux operating systems. It is a private operation with no public affiliates, and its payloads contain many technical similarities to Royal ransomware, such as encryption mechanisms and command-line parameters.

HHS reported that researchers who examined an x64 VMware ESXi version targeting Linux machines identified an “extremely high degree of similarity” between Royal and BlackSuit ransomware, which we now know is simply the same syndicate rebranded. The two are nearly identical, with 98% similarity in functions, 99.5% in blocks, and 98.9% in jumps based on BinDiff, a comparison tool for binary files. A comparison of the Windows artifacts revealed 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff. The Linux variant of BlackSuit ransomware is a 64-bit ELF executable compiled with GCC, with a SHA256 hash of 1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e. The Linux variants of Royal and BlackSuit share 98% similarity in functions, 99.5% in blocks, and 98.9% in jumps based on BinDiff.

It is speculated that BlackSuit, like its predecessor Royal ransomware, could gain access to a network, communicate with command and control (C2) infrastructure, and download multiple tools. Its operators often repurpose legitimate Windows software to strengthen their foothold within the victim’s network. For instance, ransomware operators have been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH, to communicate with their C2 infrastructure. The FBI observed multiple Qakbot C2s used in ransomware attacks but has yet to determine if these attacks exclusively use Qakbot C2s.

BlackSuit threat actors could have exfiltrated CDK data from the network by repurposing legitimate cyber penetration testing tools such as Cobalt Strike and malware tools and derivatives like Ursnif/Gozi for data aggregation and exfiltration.

BlackSuit appends the “.blacksuit” file extension to the files it encrypts, changes the desktop wallpaper, creates and drops its ransom note (“README.BlackSuit.txt”) into the directory, renames files, and lists its TOR chat site in the ransom note along with a unique ID for each victim. Its operators also set up a data leak site as part of their double extortion strategy to coerce victims into paying the ransom.

Once the ransomware infects a system, it uses the FindFirstFileW() and FindNextFileW() API functions to enumerate files and directories, initiating the encryption process. BlackSuit ransomware uses the Advanced Encryption Standard (AES) algorithm for encryption, specifically leveraging OpenSSL’s AES and similar intermittent encryption techniques for efficient encryption of victim files.

Here are some key facts about BlackSuit ransomware:

1. Encryption Method: BlackSuit uses advanced encryption techniques to lock victims’ files, making it impossible to recover the data without the decryption key.
2. Double Extortion: Like other modern ransomware, BlackSuit employs a double extortion tactic. This means that in addition to encrypting files, the attackers also exfiltrate sensitive data and threaten to release it publicly if the ransom is not paid.
3. Targeted Attacks: BlackSuit has been observed targeting specific industries, including healthcare, finance, and critical infrastructure, where the impact of an attack can force a quick ransom payment.
4. Ransom Demands: The ransom demands associated with BlackSuit can be substantial, often reaching into the hundreds of thousands or even millions of dollars, depending on the size and nature of the targeted organization.
5. Distribution Methods: BlackSuit is typically distributed through phishing emails, malicious attachments, and exploiting vulnerabilities in unpatched software.
6. Impact on Operations: Victims of BlackSuit ransomware often experience significant operational disruptions, including the inability to access critical systems and data, leading to downtime and financial losses.
7. Mitigation and Response: Organizations are advised to implement robust cybersecurity measures, including regular backups, multi-factor authentication, and employee training to mitigate the risk of BlackSuit ransomware attacks.

Bleeping Computer reported that Brad Holton, CEO of Proton Dealership IT, a cybersecurity and IT services firm for car dealerships, told them that the attack caused CDK to take its two data centers offline at approximately 2 AM. Holton explained that CDK software running on devices has administrative privileges used to deploy updates, which could explain why CDK recommends disconnecting from the data centers.

While some users have stated that they can log in with old credentials that were upgraded during CDK’s transition to a modern single-sign-on platform, some of these employees have also expressed concerns that threat actors could use the always-on VPN to pivot into the internal network of car dealerships. An IT professional for one dealership told Bleeping Computer that CDK advised them to disconnect the always-on VPN out of caution, suggesting that this might be part of containment efforts.

While this may seem like a good move, it is worth noting that CDK is still negotiating, and systems are expected to be back online on June 30, which is 11 days after the attack, as reported by Yahoo News.

As the BlackSuit ransomware was responsible for the recent attack, the HHS previously issued an advisory aimed at helping organizations defend against BlackSuit ransomware threats. The advisory outlines a series of recommendations to strengthen cybersecurity measures:

• Maintain an inventory of assets and data.
• Identify and manage authorized and unauthorized devices and software.
• Regularly audit event and incident logs.
• Manage hardware and software configurations effectively.
• Limit administrative privileges and access to necessary personnel only.
• Monitor network ports, protocols, and services for anomalies.
• Establish a whitelist of approved software applications.
• Implement robust measures for data protection, backup, and recovery.
• Enable multi-factor authentication (MFA) for enhanced security.
• Ensure all system layers are protected with up-to-date security solutions.
• Remain vigilant for early signs of potential cyber threats.

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know Your Risk. Contact BreachLock today!