CDK Global Ransomware Attack Sends Shockwaves Through $1.2 Trillion Auto-Dealer Industry

Fallout from the dual cyberattack that struck automotive IT firm CDK Global in June highlights growing supply-chain risks and the threat of secondary attack campaigns enabled by large vendor data breaches. Days after the debilitating attack, which caused a two-week-long service outage and an estimated $1 billion in collective losses, threat researchers attributed the breach to the BlackSuit ransomware syndicate.

BlackSuit is a nascent Eastern European threat group that first emerged in mid-2023. Experts also say BlackSuit is an offshoot of the RoyalLocker gang, which is one of several spinouts of the now-defunct Conti ransomware group that disbanded in 2022.

Notably, a November 2023 cyber-risk bulletin published by the U.S. Department of Health and Human Services’ Office of Information Security advised that BlackSuit would likely emerge as a “credible threat to the Healthcare and Public Health (HPH) sector.” Beyond healthcare, BlackSuit is known to target the education, information technology (IT), government, retail, and manufacturing industries. One incident response firm said they have observed BlackSuit demanding ransoms as high as $18 million from victims.

On June 21, Bloomberg reported that BlackSuit threat actors had “demanded tens of millions of dollars in ransom” from CDK, citing an anonymous source. As the impact of the CDK breach continues to unfold, this cyberattack has plunged the $1.2 trillion auto-dealership industry into “disarray,” according to JPMorgan analysts.

Background on the CDK Global Ransomware Attack

Bloomberg noted that CDK’s “core product — a suite of software tools referred to as a dealership management system, or DMS — underpins virtually every element of auto retailers’ day-to-day business.” This software-as-a-service (SaaS) product “offers a full suite of applications to handle a car dealership's operation, including sales, back office, financing, inventory, and service and support,” according to Bleeping Computer. CDK is also a category leader in the DMS space, having captured roughly 50% of this enterprise market, according to trade publication Automotive News.

CDK first became aware of the attack on June 18. It led CDK to shut down its systems, which significantly crippled the business operations of some 15,000 auto dealerships that depend on the vendor for their IT needs. Compounding CDK’s woes, the SaaS firm fell victim to a second cyberattack on June 19 as it hurried to restore its systems from the first outage.

As a result of the breach and the lingering follow-on outage, CDK’s customers had to process many of their sales transactions and other business functions manually (with pen and paper) for nearly two weeks, according to media reports. In a lawsuit filed by a group of impacted dealers against CDK, one plaintiff was quoted by CBS News as saying, "customers are coming in, we're selling cars, but we can't book the deals, can't finance the deals or get them to the banks. Which means we cannot fund the cars or pay off the cars."

Additionally, the third-party data and personally identifying information (PII) compromised by BlackSuit enabled threat actors to mobilize a secondary attack campaign on CDK customers. On June 21, SC Media reported that CDK “posted a voicemail advising that threat actors are contacting CDK customers and business partners posing as members or affiliates of CDK.”

The voicemail warned that attackers were “engaging in follow-up social engineering to obtain system access and underscored the need for vigilance among its 15,000 auto dealership customers,” according to SC Media. CDK’s service outage impacted most of its customers for roughly two weeks.

Automotive News reported a CDK announcement from July 2 that said the SaaS provider had restored DMS services to “most of its 15,000 dealership clients in North America,” but also noted that “broader recovery work continues.”

Financial and Legal Impact of the CDK Breach

Highlighting the immediate market impact on CDK, the Bloomberg report noted that the organization’s parent company, “Brookfield Business Partners LP, had its worst trading day since October - plunging 5.7%” on June 20 and extended its decline the following day.

Beyond the hit to its parent company’s share price, CDK now finds itself in the crosshairs of several lawsuits from auto dealerships, their employees and customers, alleging inadequate data security practices and insufficient measures for preventing, detecting, and stopping attacks, CBS News reported.

These lawsuits also reveal the secondary impact on auto-dealer employees who are now prime targets for identity theft and other hyper-targeted frauds because the breach exposed employees’ PII, including “social security numbers, employment history, driver's license info, financial account details and more,” according to CBS News.

BlackSuit ransomware actors can either abuse this PII themselves or sell it to other cybercriminals on the dark web, creating ancillary channels for monetizing breach data. Regardless, the presumed quantity and quality of customer PII exposed in the CDK breach only serves to reinforce the cycle of cybercriminal victimization.

ExtraHop Chief Information Security and Risk Officer Mark Bowling further noted how the pervasiveness of password reuse amplifies the risk of secondary CDK attack chains.

“Everyone reuses passwords, so this could be a cornucopia of data for secondary attacks on automakers, car dealerships, and even wealthy individual customers that might be companies that own and use cars (delivery services, auto rental agencies, etc.),” Bowling said.

Beware of Supply Chain Risk from “Always On” VPN Tunnels

Additionally, a more disruptive supply-chain-attack risk emerges from the reported “always-on VPN” tunnel that dealerships must configure to access CDK’s data centers, according to Bleeping Computer. This arrangement enables auto dealers’ “locally installed applications to access the platform,” reported the news outlet.

Therefore, the dealer-to-CDK VPN link presents the risk that BlackSuit, using human and non-human credentials such as API keys or session IDs compromised in the first breach, could penetrate external networks and unleash downstream ransomware attacks on CDK’s customers.

As noted by Jaime Moles, Senior Manager of Technical Marketing at ExtraHop, in his comments to SC Media, “customers experience heightened risk when third-party vendors have expansive privileges to their operational environments. Unfettered access leaves a clear pathway for attacks to have ripple effects across customer network environments, exposing their sensitive information and possibly impacting their daily operations.”

In a threat landscape marked by the resurgence of ransomware operator “big game hunting” (BGH), BlackSuit’s attack on CDK is a sobering reminder that even mature companies and category leaders must continuously scrutinize the adequacy of their cybersecurity controls.

While the precise attack chain that enabled the CDK breach remains undisclosed, ExtraHop partner CrowdStrike observed a “76% increase in victims named on BGH dedicated leak sites between 2022 and 2023.” Thus, the key takeaway from the CDK breach is that large, high-value organizations need to reevaluate their security postures and their levels of exposure to the sophisticated attack techniques weaponized by threat actors like BlackSuit.