Last week in our story about automobile manufacturers fearing cybercrime, we mentioned an ongoing cybersecurity incident at CDK Global, a software-as-a-service (SaaS) company that provides financing, payroll, service and other operational functions for over 15,000 car dealerships.
Late Saturday afternoon, more details emerged that show just how bad things got for CDK.
A brief summary of events to-date, according to BleepingComputer:
- Tuesday, June 18 – CDK becomes aware of a security breach.
- Wednesday, June 19 - – CDK shuts down its data centers, IT system, login systems, the whole shebang, to buy time for impact assessment, begins restoring its systems and gets hacked again.
- Friday, June 21 – CDK warns that bad actors are masquerading as company employees and calling customers.
Then, on Saturday, BleepingComputer reported that CDK entered negotiations with the BlackSuit ransomware gang, likely a conglomerate of hackers from Eastern Europe and Russia, to decrypt CDK’s data and prevent it from leaking.
On Monday, the Associated Press reported that the CDK hack affected dealers for Stellantis, Ford and BMW. Stellantis specifically told AP that some of its dealerships had reverted to pen-and-paper record-keeping to keep sales going. Ford and Lincoln customers had to access sales and service support through “alternative routes.” Penske Automotive Group reported to BleepingComputer that its Premier Truck Group business suffered disruptions.
Best Guesses for Data Breach Perpetrators
Pieter Arntz, malware analyst at Malwarebytes, suspects CDK needed more time to analyze the initial breach before taking further action.
“The most interesting point about the attack on CDK Global is that it was hit a second time while still recovering from the first attack. If I had to guess how it happened, my thought would be that CDK restored systems too quickly. Many companies will set systems back to a restore from an earlier date, but attackers can afford to linger on a system for long periods of time. Restoring systems from, say, a week ago is often not far enough. But again, this is guesswork, and we’ll learn more in the coming weeks,” Arntz says.
Andy Thompson, offensive cybersecurity research evangelist at CyberArk, wonders whether BlackSuit is the only threat actor involved in the pair of breaches.
“One thought to consider is if there were multiple threat actors involved, which is often the case. We saw this play out in the RNC hack back in 2020, where multiple nation-state threat actors (from the same country) were embedded in the RNC networks, unbeknownst to each other! If that was the case here, there often comes a time when one threat actor strikes first and forces the hand of the other to either execute their own end-game or bow out empty-handed. This potentially sounds like one of those situations. Rather than leaving empty-handed, a second attack could have been executed by the remaining threat actor,” Thompson says.
Dror Liwer, co-founder of cybersecurity company Coro, suggests how the breach might have happened in the first place.
“Within the 3,400 car dealerships Coro defends, in the last 12 months, more than 62 million phishing attempts were thwarted. That’s an average of 16 attempts per month per employee,” Liwer says.
In other words, maybe our take on the Verizon DBIR report is depressingly accurate.
