It's easy to think that your small business is no target for a hacker's attack. But it's also easy to think that major corporations have enough money and expertise available to shore up their defenses. As we can see by the recent cyber attack on CDK Global, orchestrated by the notorious BlackSuit ransomware gang, in reality neither of these things are true. Unfortunately, this iincident underscores the fact that large enterprises, despite their presumably robust security measures, and small businesses, regardless of their perceived anonymity, are equally vulnerable - because neither of these factors are always true!
The BlackSuit ransomware gang is behind CDK Global's massive IT outage, which has disrupted car dealerships across North America. CDK Global, a software-as-a-service (SaaS) provider, operates a platform crucial to the functioning of car dealerships, including sales, financing, inventory, service, and back office functions. The attack forced CDK to shut down its IT systems and data centers to prevent further spread, severely impacting their operations. Despite efforts to restore services, CDK experienced a second cybersecurity incident, leading to another shutdown of all IT systems. This series of attacks has compelled car dealerships to revert to manual operations, significantly hindering their ability to sell cars and provide services. Even major automotive groups like Penske Automotive Group and Sonic Automotive have felt the repercussions, highlighting the widespread impact of this ransomware attack.
In the wake of the attack, CDK Global is negotiating with the ransomware gang to receive a decryptor and to prevent the leak of stolen data. Additionally, CDK has issued warnings about threat actors posing as CDK agents to gain unauthorized access to systems, further complicating the situation for affected dealerships. This attack not only disrupted the operations of numerous car dealerships but also shed light on the evolving tactics of ransomware gangs. The BlackSuit ransomware, believed to be a rebrand of the Royal ransomware, has proven its capability to inflict significant damage. The Royal ransomware, and thus BlackSuit, is linked to the infamous Conti cybercrime syndicate, known for its sophisticated and devastating attacks.
Security Measures and Warnings
In response to the devastating cyber attack, CDK Global and the affected car dealerships have taken significant security measures to mitigate the impact and prevent further damage. One of the immediate actions was the complete shutdown of CDK’s IT systems and data centers to contain the spread of the ransomware. This decisive step was crucial in preventing further infiltration and data loss.
Both Penske Automotive Group and Sonic Automotive disclosed the steps they took in response to the attack. Penske, in particular, reported in an SEC filing that they implemented precautionary containment steps to protect their systems and commenced an ongoing investigation into the incident. They also activated their business continuity response plans, enabling them to continue operations through manual or alternative processes. Similarly, Sonic Automotive revealed in their SEC filing that they experienced disruptions in their dealer management system (DMS) and customer relationship management (CRM) system. However, they managed to keep all dealerships open and operating by utilizing workaround solutions to minimize disruption.
CDK Global has also warned dealerships about threat actors posing as CDK agents or affiliates in an attempt to gain unauthorized access to their systems. This social engineering tactic is a common strategy used by cybercriminals to exploit the chaos following a cyber attack. The warning underscores the importance of vigilance and skepticism, especially during times of crisis.
Background of the BlackSuit Ransomware Gang
The BlackSuit ransomware gang, responsible for the CDK Global attack, emerged in May 2023 and is widely believed to be a rebrand of the Royal ransomware operation. Royal ransomware itself is considered the direct successor of the infamous Conti cybercrime syndicate, which was composed of Russian and Eastern European threat actors known for their sophisticated and highly organized cyber attacks. The evolution from Royal to BlackSuit began in June 2023 when the Royal ransomware operation started testing a new encryptor called BlackSuit. This transition was amidst rumors of a rebranding effort following their attack on the City of Dallas, Texas. Since the rebranding, attacks under the Royal name have ceased, with the perpetrators now operating exclusively under the BlackSuit moniker.
In November 2023, a joint advisory by the FBI and CISA revealed that Royal and BlackSuit share similar tactics and coding overlaps in their encryptors, further solidifying the connection between the two. The advisory also linked the Royal ransomware gang to at least 350 attacks on organizations worldwide since September 2022, with ransom demands exceeding $275 million.
Broader Implications
The cyber attack on CDK Global highlights a crucial reality: both large and small businesses are at risk of cyber attacks. Large enterprises, despite their theoretically robust security measures, can fall victim to sophisticated ransomware operations. Small businesses, on the other hand, cannot rely on anonymity as protection. This incident is a powerful reminder that cyber threats are universal, and every organization is a potential target.
The fact that CDK Global, a significant player in the automotive industry, was brought to its knees demonstrates that no business is too big to be breached. The ripple effect of this attack, which forced dealerships to revert to manual operations and halted car sales and services, underscores the widespread impact such incidents can have. It also highlights the critical dependency businesses have on their IT infrastructure and the severe consequences when these systems are compromised.
Lessons and Recommendations
In light of the CDK Global attack, several key lessons and recommendations emerge for businesses to enhance their cybersecurity posture:
- **Regular Updates and Patches:** Ensure all systems and software are regularly updated and patched to fix vulnerabilities that could be exploited by cybercriminals.
- **Employee Training:** Conduct regular training sessions to educate employees about phishing, social engineering, and other common tactics used by cybercriminals.
- **Backup and Recovery Plans:** Implement comprehensive backup and recovery plans to ensure that data can be restored quickly in the event of an attack. Regularly test these plans to ensure their effectiveness.
- **Advanced Threat Detection:** Utilize advanced threat detection and response solutions to identify and mitigate threats in real-time. This includes deploying tools that can detect anomalies and unusual behavior in the network.
- **Incident Response Plan:** Develop and maintain an incident response plan that outlines the steps to be taken in the event of a cyber attack. Ensure that all employees are familiar with this plan and know their roles and responsibilities.
- **Zero Trust Architecture:** Adopt a zero-trust security model that requires verification for every person and device attempting to access resources on the network. This approach minimizes the risk of unauthorized access.
- **Vendor and Third-Party Risk Management:** Assess and manage the security risks associated with vendors and third-party service providers. Ensure they adhere to robust cybersecurity practices.
Conclusion
The recent ransomware attack on CDK Global should remind us that cyber threats can impact any business, regardless of its size or perceived security. The disruption experienced by car dealerships across North America illustrates the far-reaching consequences of such attacks. As businesses continue to rely on digital infrastructure, the importance of robust cybersecurity measures cannot be overstated.
This incident serves as a wake-up call for all organizations to prioritize cybersecurity. By learning from the CDK Global attack and implementing the recommended measures, businesses can better protect themselves against future threats. Ultimately, the key takeaway is clear: cybersecurity is a shared responsibility, and proactive steps must be taken to safeguard against the ever-evolving landscape of cyber threats.