CDK Global Breached by BlackSuit Ransomware Group

Photo Courtesy of No-longer-here

It can be found here: https://pixabay.com/illustrations/man-male-person-suit-business-man-163693/

This is an old story in the world of Cybersecurity stories but ended up getting sucked into the finer details of this attack and the attacker the BlackSuit Ransomware gang which is purported to have ties to the Royal Ransomware group which was decended from the disbanded Conti Ransomware group. Sorry for the late post but I take time to write these up and try not to lean too heavily on AI.

What happened?

On June 19th the BlackSuit ransomware group compromised a software solution used by car dealerships to streamline operations by allowing managers "to track store profitability, complete deals, monitor employee compensation and inventory levels" [Reuters CDK Global Hack]. The timeline as reported by USA Today is as follows:

  • June 19th 2024 - CDK Global takes their systems offline out of an "abundance of caution" to reduce potential impacts.
  • June 21st 2024 - Bloomburg reports that a European based group of hackers are demanding ransom for the attack and later Reuters reports that the group is BlackSuit
  • June 22nd 2024 - CDK Global begins restoration to its systems and projects it will take several days to recover.
  • June 24th 2024 - CDK Global sends out a message to some of its clients stating it will start bringing systems back online to a test group of customers.
  • June 28th 2024 - CDK Global begins restoring systems in a phased approach.
  • July 1st 2024 - A statement is issued by CDK Global projecting that its systems will be back online as of July 4th.
  • July 4th 2024 - This was the projected date of CDK global to be back online (I do not know anyone who works in an affected auto dealership so I don't actually know if they are back online.)

[USA Today Timeline]

Impacts

This caused outages at multiple large name automotive dealerships such as Volkswagen and Audi. Other dealerships such as Auto Nation, Sonic Automotive, and Litha Motors also reported disruptions to operations [Reuters CDK Global Hack]. From their website CDK global serves upwards of 15,000 retail locations [USA Today Timeline]. Although it is not clear if data was stolen but according to Reuters "CDK's software is commonly used by dealers to integrate operational aspects such processing sales and transactions."

Lessons Observed

Without technical details of the attack and looking at it from an outsider CDK global did pretty well. They stopped the bleeding as soon as it was discovered and it sounds like they did not pay a ransom. However from the fact that BlackSuit ended up demanding a ransom the systems were compromised so take a few points away from the defenders for not detecting it before the damage was done. From the timeline by USA Today it looks like they moved quickly to take systems offline and restore the platform with clear communication about the expected deadlines for restoration of services, however as of July 7th its still not clear if the systems were restored to full working order.

Although this was a supply chain attack meaning that there is an additional layer between the customer whos records may have been leaked or stolen and the organization that was breached, it will be interesting to hear if customers of dealerships are notified or if downstream customers, car owners and those who used affected dealerships, will need to wait for another press release. Note that in my opinion it would be the responsibility of each auto dealership to notify its customers based on a breach notification by CDK global. It is possible that no data was stolen, but if a Threat Actor gets far enough to send a ransom note its pretty likely that they have already exfiltrated data on those systems. Hopefully they were discovered before all records were exfiltrated and the deployment of the ransomware was a deadman's trigger after the threat actor was discovered on systems.

Theories

The worst case scenario is that financial information was stolen from customers and dealerships allowing the threat actors to process payments, a severity step down from that is that information such as transaction records, names and addresses, make/model information of vehicles owned or taken in for service, and contact information may have been stolen. This could provide attackers with contact information and relevant details for more targeted phishing attacks related to auto loans or vehicle maintenance may be possible by the criminals who buy those records. This could lead to an increase in fraud and theft crimes as a result of the breach. Another possibility is that only Business to Business information was compromised, however businesses have budgets and policies in place to handle information theft and system compromise.

Hopefully these theories are incorrect because of the tolls that fraud and monitory/information related crimes take against victims business entities and individuals alike. If you or anyone you know is a victim, I encourage you to:

  • Work with your financial institution.
  • Report the incident to the FTC at https://www.identitytheft.gov/.
  • Report to the Internet Crime Complaint Center at https://www.ic3.gov/.
  • Change passwords where applicable.
  • Monitor your accounts for suspicious behavior.

Who was behind this particular incident?

BlackSuit is a ransomware group and toolset that has been active since May 2023 and has overlap with the Royal group which is a direct descendant of the Conti ransomware group [HHS Whitepaper]. The Royal ransomware group filled the black-market gap in 2022 after the Conti ransomware gang was disbanded. BlackSuit takes pages from the Royal ransomware group which means that it is possible that some of those actors ended up shifting or merging into BlackSuit from Royal. They have breached upwards of 95 organizations in the education and industrial sectors [Reuters BlackSuit]

Technical Details

This ransomware uses standard OpenSSL AES encryption to encrypt files and enumerates through files and directories to encrypt at the file level and not at the disk level [HHS Whitepaper]. BlackSuit also leaves a distinct ransom note which is named "README.BlackSuit.txt" [Sentinel One]. There are a number of IOC's in the HHS Whitepaper that I would recommend taking a look at if you are in the position to apply detection rules, if you use a security vendor worth a... measure of salt... they will have started adding these signatures to their detection engines. Although unrelated there is another article by Dark Reading that I will include in the sources section below that includes more advanced TTPS used by BlackSuit. Some of these TTPS include using Kerrberoasting, leveraging PSExec for lateral movement, FTP for exfiltration, brute forcing, and in the final stage deploying their custom ransomware.

Sources

All articles last retrieved on 7/6/2024

[Reuters CDK Global Hack] - https://www.reuters.com/technology/cybersecurity/why-hack-cdk-global-is-casting-shadow-us-auto-sales-2024-07-01/

[HHS Whitepaper] - https://www.hhs.gov/sites/default/files/blacksuit-ransomware-analyst-note-tlpclear.pdf

[USA Today Timeline] - https://www.USAToday.com/story/money/2024/07/03/cdk-global-cyberattack-timeline/74292877007/

[Sentinel One] - https://www.sentinelone.com/anthology/blacksuit/

[Reuters BlackSuit] - https://www.reuters.com/technology/cybersecurity/blacksuit-hacker-behind-cdk-global-attack-hitting-us-car-dealers-2024-06-27/

[Dark Reading] - https://www.darkreading.com/cyberattacks-data-breaches/blacksuit-dozens-victims-curated-ransomware

disclaimer: The ideas and statements made in this article are the sole views of Exylum Technical.