Update June 24, 2024:
According to information provided by anonymous sources to BleepingComputer, the BlackSuit ransomware gang is responsible for the cyberattack on CDK Global that resulted in widespread disruption to car dealership operations worldwide.
The same sources also indicated that CDK is negotiating with BlackSuit to obtain a decryptor and not leak data stolen by the group during the attack.
Original post:
CDK Global is warning customers that scammers have started exploiting recent attacks on its software as a service (SaaS) platform. The threat actors, pretending to be CDK support agents, have been calling affected customers in an attempt to gain access to their systems.
CDK has advised that it is not contacting its customers to access their systems and not to engage with these calls.
On Tuesday, June 18, CDK Global experienced a cyberattack that forced it to shut down its SaaS platform. As a result, the outage impacted thousands of car dealerships using CDK Global to track and order car parts, process new sales, manage inventory, offer financing, and fulfill back-office tasks.
Adding insult to injury, CDK was hit with another cyberattack on Wednesday, June 19, just as it was attempting to recover from the first. CDK had to take its systems offline again, causing further disruption to the operations of car dealerships dealing with the first outage.
Originally, CDK Global advised that it hoped to bring its systems back online by Friday, June 21. Much to the chagrin of car dealerships and those looking to purchase vehicles, CDK later stated it could no longer offer an estimated resolution date and that its systems might not be available for several days.
CDK is working with third-party experts to determine the overall impact of the attacks and restore services as soon as possible.
In addition to the inconvenience these attacks and subsequent outages have caused, some researchers worry that they may lead to further security concerns for CDK customers. This is due to an ‘always-on’ VPN configuration that CDK customers typically use to connect to the company’s data centers to allow locally installed applications to access the platform.
The fear is that the threat actors who compromised CDK could use this ‘always-on’ VPN connection to pivot into the internal systems of CDK’s customers. So far, CDK has not commented on this potential security issue.
Source: Bleeping Computer
Analysis
It’s not uncommon for threat actors to capitalize on major breaches by contacting likely customers of the affected software. Posing as an employee trying to help the customer, the threat actor’s true purpose for the call is to gain unauthorized access.
The method has a higher chance of success since the potential victim may be expecting a call from the provider and is motivated to fix the issue in question.
So far, no major threat group or ransomware actor has publicly taken credit for either attack on CDK, however, it is normal to leave time for negotiations before breaches are publicly disclosed.
It is feasible that threat actors could use the ‘always-on’ VPN feature to access the networks of CDK customers. Unfortunately, CDK hasn’t shed any light on this potential attack vector nor provided any details on either attack that led to the outages.
Mitigation
Field Effect’s team of Security Intelligence professionals constantly monitors the cyber threat landscape for potential security concerns in software used by our end users. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of potential vulnerabilities.
Field Effect MDR users were automatically notified if CDK software was detected in their environment. We encourage users to review these AROs as soon as possible.
Additionally, Field Effect strongly encourages users of the CDK Global SaaS to turn off the ‘always-on’ VPN feature until this potential attack vector is officially ruled out as a threat.
Related Articles
