Similar to the crime groups of yesteryear — these groups disband when “bosses” are incarcerated or go into hiding, with new syndicates forming from previous underboss members. BlackSuit is an iteration of an affiliated group known as Royal, which formed after the fall of one of the most notorious Russian groups, Conti. Conti was said to have annual revenue exceeding $180 million from ransomware attacks. WHEN: HOLIDAYS Organized cybercrime groups are very strategic about when and how they strike. They gather information about their targets, working to calculate the exact timing and amount to demand that will inflict the most damage, increasing the likelihood of the victim paying. Attackers know that U.S. holidays are times when IT is often thinly staffed and “on call” — potentially creating a scenario where their guards are down. This is two-fold for automotive sales, as holidays are often the biggest days for sales. So, the strike on the U.S. federal holiday of Juneteenth was the perfect storm for these adversaries, knowing that the 4th of July soon follows as one of the biggest days for auto sales. HOW: THE HUMAN ELEMENT (MOST LIKELY) Again, given that details of the attack have not been released, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports that 91% of attacks originate from a phishing email. Anonymous sources claiming to be insiders involved in the investigation of this attack have also indicated this was the case. Combine that with the fact that BlackSuit’s most common entry point is phishing, and we have a likely suspect for how the attack originated. That being said, most attacks employ a combination of tools and methods. As I mentioned previously, the second factor attackers have identified in the industry is outdated and unpatched “legacy” technology. Outdated software can contain known vulnerabilities and misconfigurations that allow attackers a foothold and pivot points within an environment. Honorable mention goes to easily guessable passwords and/or password reuse and lack of multi-factor authentication. LESSONS LEARNED Lessons from this attack are not just limited to CDK, or even those dealers impacted by the cyberattack and resulting outage. As I’ve warned, attackers tend to take the path of least resistance. 1. An Ounce of Preparation: The FTC Safeguards require you to have an Incident Response Plan in place. This should detail what actions are taken in the event of a cyberattack. These plans should be documented with roles and responsibilities and tested with “tabletop exercises” where attack scenarios are talked through to identify any potential enhancements to existing processes. Another recent amendment to the Safeguards Rule now includes reporting requirements for any incident impacting 500 or more individuals. 2. Vendor Management: This is another explicit FTC Safeguards requirement. OCD Tech has been pressing DMS providers on their security vulnerabilities and compliance since the Safeguards Rule was proposed, with some more responsive than others. Many of these systems are archaic, built on inherently vulnerable platforms and infrastructure. More modern and proactive DMS players are building solutions that are more in line with today’s technology and security needs. Proper vendor management means evaluating who your vendors are, who has access to your data, how critical they are to your operations and, subsequently, how adequate their security practices are. 3. Employee Awareness Training: Employ not only distribution of cybersecurity awareness training materials, but simulated phishing attacks to train your workforce on how to spot red flags and indicators of suspicious activity. OCD Tech has noted employee click and open rates as high as 30% during baseline simulated phishing campaigns. That means 30% or more of your employees could fall for an email sent by an attacker. We’ve seen those very same dealerships improve that rate to less than 2% over a period of six months of simulated campaigns. Employees should also be reminded to be on high alert going into high-volume sales and service periods such as holidays, and after events such as the CDK breach where “piggyback” attacks can follow — attackers posing as CDK representatives to convince individuals to open malicious software or grant them remote access. 4. Basic Cyber Hygiene: We can’t stress enough the importance of enabling multi-factor authentication where available, and especially where sensitive customer information resides. This is typically a low-cost and low-impact change, that is very effective. Easily guessable and reused passwords could also mean that an attacker already has login information for your environment. Leverage information sources such as dark web monitoring for leaked credentials — and make sure you force password changes when such credentials for your dealership appear. 5. Assess Risk, Address Risk, Repeat: You don’t know what you don’t know. Contracting a third-party to evaluate your security and compliance can be an incredibly valuable tool. Measuring your cyber risk and cybersecurity maturity can provide a roadmap towards improvement that allows you to focus your budget and effort in the right areas. With all the flashy tools and corresponding sales pitches out there today, it’s important to understand what threats you’re facing and what you’re paying for to mitigate the associated risk. Have a contracted simulated attacker evaluate your vulnerabilities and see if they can get into your systems, before a real attacker does. 13
RkJQdWJsaXNoZXIy ODQxMjUw