As cars run on gas and electricity, auto retailers run on software. Dealerships come to a sudden stop when critical programs go down. The Dealer Management System (DMS) is an auto retailer’s most vital platform.
“The DMS is almost like the operating system for the dealership’s entire suite of software solutions,” says Peter C. Cassat, automotive industry attorney and a partner at CM Law, a U.S. News-ranked Best Law Firm in Information Technology Law. According to Cassat, the DMS is a critical point of failure for auto retailers because it reaches into every aspect of daily business operations. An operating system runs software; without it, applications are worthless.
According to the Detroit Free Press, a June ransomware attack on CDK Global (CDK), one of the largest DMS providers in North America, cost U.S. dealerships more than $1 billion. A ransomware attack typically scrambles company information so threat actors can demand payment to restore it.
Several news outlets said the attack forced CDK to shut down its DMS software, affecting 15,000 auto retailers. Without it, dealerships lost access to applications. Without the automation those apps enabled, dealer staff turned to manual processes, including handwritten sales, service, and repair records.
The BlackSuit Ransomware Group
By June 22, news outlets such as BleepingComputer confirmed that the cybercrime group BlackSuit had launched the ransomware attack on CDK, a large Software-as-a-Service (SaaS) vendor of DMS software to auto retailers in the U.S. and Canada. SaaS provides software in the cloud over a network like the Internet.
According to a late 2023 Health and Human Services HHS.gov cybersecurity analyst note, the BlackSuit ransomware group showed similarities to the Royal [RoyalLocker] ransomware group, which succeeded the Russian Conti ransom group.
According to the National Law Review, BlackSuit’s ransomware is like that of other criminal groups. The BlackSuit group’s leadership has been conducting attacks like this since 2019, likely rebranding each group they led after law enforcement shut down the previous ransomware group, according to the National Law Review article.
CDK Notifications Fall Short
CDK provided limited information about the attack through emails and phone recordings. According to CBS News, CDK emailed its customers on Saturday July 22nd that it had fallen victim to a ransom event on July 19th that made the DMS unavailable, and the attackers demanded a ransom payment. According to multiple news sources, CDK said restoration would take several days, if not weeks.
According to BleepingComputer, CDK set up a phone line with a message for its customers. The message confirmed the attack and that CDK and its partners had disabled customer systems and third-party [applications]. CDK stressed that its customers should not use those apps at that time.
The phone message said threat actors were calling and preying on CDK customers with limited support choices during the outage. The recording continued that CDK was aware of bad actors contacting customers while posing as members or affiliates of CDK and trying to gain unauthorized system access. CDK advised customers not to work with these imposters. CDK brought dealerships online over time and reported its progress.
However, these reports didn’t provide technical details of the investigation, containment, eradication, and recovery from the attack. “There wasn’t any real transparency [from CDK] about [the attack or remediation]. If CDK were more transparent, we wouldn’t have to worry and wonder,” said Kathi Kruse, automotive retail advisor at Kruse Control Inc.
Vulnerabilities and Attack Scenarios
“I have worked with clients and used CDK myself over the past 30 years. I am currently working with two clients that are on CDK. CDK made cosmetic changes a few years ago, but the User Commands and the core software [underneath] are the same as they were in the 90s (or before),” said Kruse. The CDK DMS was previously ADP dealer services.
Windows here refers to window-like graphics set in a graphical user interface (GUI), not Microsoft Windows. Previous versions of the CDK DMS used text-based DOS commands. If the CDK software had security vulnerabilities dating back to the 90s because of a lack of updates, those didn’t help the situation.
The underlying data was most likely in a SQL RDBMS, so once attackers gained access, all the data was probably right there for them in a single location, said Michael Nizich, director of the NSA/DHS CAE Cyber Defense Education Program at the New York Institute of Technology. SQL RDBMS is a type of database that is installed on a server and contains data records.
A modern cloud approach to software is not always secure, either. “CDK is a fully cloud-based service. However, being cloud-based does not guarantee a true zero-trust security design,” said Nizich. “The fact that the attackers navigated the network after the initial phishing attack, enabling the ransomware attack, shows that the hosted [DMS] platform was still using a perimeter security design instead of validating access to each resource for the compromised users,” said Nizich.
Perimeter security prevents access to the network. Zero-trust security ensures the network trusts nothing, authenticates users on each resource, and tests users again when they exhibit unusual behavior. Phishing attacks use texts, emails, or phone calls to trick users into taking the cybercriminal’s prescribed actions.
According to Nizich, the BlackSuit group was probably inside the CDK systems for a month before the attack, preparing to launch it. “Current public details point to a spear-phishing attack on an employee followed by an escalation of privileges that allowed the attacker to move laterally across the network,” said Nizich.
Spear-phishing attacks target the specific employees in an organization who have the access the attackers need. Once they have that initial access, attackers work to escalate privileges, gaining unauthorized access and increasing privileges on user accounts, machines, and resources. They gain deeper access down into the network and then move across it to their target.
Modern ransomware tools make attacks easier for cybercriminals and harder on victims. Advanced threat groups like Black Cat/AlphV, which had Russian origins like BlackSuit, created fast, powerful, system-agnostic ransomware tools using the Rust programming language, according to Nizich. BlackSuit likely used these tools in the CDK attacks.
According to a Hawkeye technical blog, the Rust language enables ransomware programmers to create malicious software that hides its internal mechanisms. The resulting ransomware is evasive and difficult for malware analysts to reverse-engineer and detect.
Claims of Data Exposure
According to Nizich, based on public information, BlackSuit breached and exfiltrated data belonging to auto dealers, employees, and consumers. According to Court Listener, a class action suit that dealerships and consumers filed against CDK Global in Florida claims the compromise of their personally identifiable information (PII). The suit identifies classes, including dealers, consumers, salespersons, finance personnel, and those who service the vehicles nationwide. All these classes claim that ransomware compromised their PII. PII includes information that can identify a person, so their SSN, address, phone, email, and credit data are good examples.
The suit states that it all happened despite CDK’s promises “throughout the course of its marketing campaigns[,] making users feel at ease [sic] CDK has mastered protecting data it had dominion and control over.”
According to the National Law Review, federal suits in Illinois and Florida claim the attacks exposed consumer personal information and stopped 15,000 dealerships’ sales, financing, servicing, and payroll operations. Consumers have filed several lawsuits against CDK in Illinois regarding the attack.
According to Bloomberg, BlackSuit demanded tens of millions to end the onslaught. According to CNN, a BlackSuit cryptocurrency account received $25 million, paid in Bitcoin, on June 21, two days after the first attack on CDK. CNN reported CDK was likely the source of the payment.
Aftermath of CDK Attack
There could be fines against CDK besides the damages the several lawsuits could win. “I could almost guarantee that auto dealers and CDK had data from European customers, in which case, the breach would trigger the E.U.’s General Data Protection Regulation (GDPR). CDK will be subject to fines of up to 4% of their GDP,” said Nizich. The GDPR protects the privacy of European citizens even when they do business with companies outside the E.U.
The auto industry outage cascades to other industries. “Dealer issues affect not only the auto industry. For example, if a logistics company services their trucks at a dealer affected by these issues, that can cause ripples across the market,” said Nick Hyatt, director of threat intelligence at Blackpoint Cyber, a cybersecurity company serving MSPs that service auto dealers.
The Future of Auto Retailer Cybersecurity
There are many SaaS platforms for auto retailers. Based on CEO interviews, Latka, a SaaS software database, lists the 107 largest private B2B Automotive Software SaaS Companies as of July 2024. It does not include public SaaS providers. Vulnerabilities in those SaaS services present a broad attack surface for dealerships, especially when those are single points of failure.
Ransomware groups increasingly are targeting auto retailers and vendors. According to Driving, a Postmedia Network publication, cyber incidents in the auto industry have nearly doubled over the past few years.
Certainly, attacks that could cause large swaths of auto retailers to go down are an ongoing threat. According to Hyatt, “This [major attack] is one where [people raised their] eyebrows because of the widespread outages. It’s an issue the auto industry will need to address. There’s been so much movement towards improving and merging technical stacks that when something like this happens, and it reduces dealerships to antiquated methods for tracking work, it’s a major problem.” Consolidating technical stacks includes combining software abilities into single platforms.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment