#NSBCS.031 - Cyberattack on CDK Global: A Dual Blow

Cyberattack on CDK Global: A Dual Blow

On Wednesday, June 19, 2024, CDK Global experienced two significant cyberattacks within a few days, forcing them to take their systems offline twice and receiving a ransom demand believed to be in the millions. CDK Global, a major provider of software used by thousands of car dealerships in North America, was forced to shut down its systems, resulting in a substantial outage for its dealership customers.

The cyberattacks are suspected to have been orchestrated by the BlackSuit ransomware gang, known for targeting sectors such as IT, healthcare, government, education, and retail. In 2023, BlackSuit notably targeted a series of schools in North America and a Zoo in Tampa Bay. The group has strong ties to the Royal ransomware group, which evolved from the notorious Conti group.

Reports indicate that CDK Global was in ransom payment negotiations with BlackSuit to obtain a decryptor and prevent data leakage. The system outages caused by these attacks severely impacted the dealerships relying on CDK Global’s software for sales, financing, inventory, service, and back-office functions, forcing them to revert to manual processes to maintain operations while CDK Global worked on restoring their systems.

Important Takeaways

Managing cyber incidents within your supply chain can be particularly challenging, especially when your customers are impacted as a result. You are often at the mercy of your critical supplier who is experiencing the cyberattack.

A few supply chain-related takeaways from this incident:

• Business Continuity Planning: What are your alternatives if a critical system goes down? Are there any alternative systems or manual processes you can quickly resort to in the absence of such a system? Consider including this in your next business continuity and disaster recovery tabletop exercise.

• Incident Response Planning / Supply Chain Risk Management: What arrangements do you have in place to ensure you are notified by your third parties when they experience a cyber incident? Have you previously identified, assessed, and implemented controls in response to the cyber risk of your critical third parties?

Additional recommendations:

• Communication Protocols: Establish clear communication protocols with your third parties to ensure timely updates and transparency during cyber incidents.

• Regular Audits and Assessments: Conduct regular audits and risk assessments of your third-party vendors to ensure their cybersecurity measures meet your standards and can mitigate potential risks.

• Training and Awareness: Provide ongoing training and awareness programs for your employees and third-party partners on recognising and responding to cyber threats effectively.

For info on NSB Cyber’s Cyber Response & Recovery or Threat Intelligence capabilities, or to book a meeting with our team, click here.

What we read this week

• Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware - Chinese and North Korean hackers have been targeting global infrastructure with ransomware attacks from 2021 to 2023. The groups, including ChamelGang, have been linked to attacks on government entities and critical infrastructure, using ransomware to disrupt operations and cover their tracks. These attacks have targeted various sectors, with notable incidents involving the All India Institute of Medical Sciences and the Presidency of Brazil. The trend highlights the growing use of ransomware by state-sponsored actors for both financial gain and cyber espionage.

• Rafel RAT targets outdated Android phones in ransomware attacks - The Rafel RAT malware is targeting outdated Android devices with ransomware attacks, primarily affecting versions 11 and older that no longer receive security updates. Cybercriminals use various methods, including fake apps mimicking popular brands, to distribute the malware, which can encrypt files, lock screens, and leak sensitive information. Researchers detected over 120 campaigns using Rafel RAT, with threat actors from Iran, Pakistan, and known groups like APT-C-35 involved. Victims are advised to avoid downloading APKs from untrusted sources and to keep their devices updated.

• Threat Actor May Have Accessed Sensitive Info on CISA Chemical App - A recent cyberattack targeted the Cybersecurity and Infrastructure Security Agency's (CISA) Chemical Security Assessment Tool (CSAT), exploiting vulnerabilities in Ivanti's Connect Secure appliance. Although there is no evidence of data exfiltration, the attack potentially exposed sensitive information from Top-Screen surveys and Security Vulnerability Assessments related to chemical facilities. The malicious actor installed a webshell on the Ivanti device, allowing repeated access over a two-day period. CISA has advised all affected facilities to notify individuals whose information was submitted for vetting and recommends password resets to prevent further breaches. The agency has also taken immediate action by isolating the affected system and conducting a thorough forensic investigation.

• Plugins on WordPress.org backdoored in supply chain attack - A supply chain attack has compromised the source code of at least five WordPress plugins hosted on WordPress.org. The malicious modifications included PHP scripts that created new admin accounts and injected SEO spam into websites. The affected plugins, installed on over 35,000 websites, have since been patched following discovery by the Wordfence Threat Intelligence team. Website owners using these plugins are advised to treat their installations as compromised and conduct thorough security checks

• ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor - The ExCobalt cyber gang has launched a series of sophisticated attacks against Russian sectors using a new Golang-based backdoor called GoRed. This group, with ties to the notorious Cobalt Gang, has targeted various industries, including government, IT, and telecommunications, over the past year. Their attacks often involve supply chain compromises and the use of advanced tools like Metasploit and Mimikatz. GoRed enables comprehensive control over infected systems, including executing commands and harvesting data, demonstrating ExCobalt's high level of sophistication and adaptability.

References
https://thehackernews.com/2024/06/chinese-and-n-korean-hackers-target.html  
https://www.bleepingcomputer.com/news/security/rafel-rat-targets-outdated-android-phones-in-ransomware-attacks/    
https://www.darkreading.com/cyberattacks-data-breaches/threat-actor-may-have-accessed-sensitive-info-on-cisa-chemical-app
https://www.bleepingcomputer.com/news/security/plugins-on-wordpressorg-backdoored-in-supply-chain-attack/
https://thehackernews.com/2024/06/excobalt-cyber-gang-targets-russian.html