Last week's ransomware attack on software as a service (SaaS) provider CDK Global has had a ripple effect on its customers, as multiple car dealerships serving thousands of locations report disruptions in their filings with the U.S. Securities and Exchange Commission. The CDK ransomware attack has paralyzed thousands of car dealerships across North America, disrupting operations for some of the largest automotive retailers. The attack that began last Tuesday has impacted operations of major players such as Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske, Sonic Automotive, and the number is expected to swell even more in coming days.

Systems Shut Down After Attack

CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.

How CDK Global Cyberattack Impacts Customers

Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.

CDK Customers Move to Manual Methods

Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

CDK May Pay Ransom

Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.

INC Ransom group has targeted the building technology solutions provider, ControlNET LLC. The ControlNET cyberattack on June 10, 2024, allegedly targeted the supply chain factor of the organization and also asserted intrusion on Rockford Public Schools. ControlNET, renowned for its expertise in HVAC, lighting, video surveillance, access control, and power solutions, is now facing an alleged attack by a hacker group. In its post, the group not only infiltrated ControlNET's systems but also exposed sensitive information, including invoice details, building floor plans, email communications, and sample folders of ControlNET and their clientele.

Understanding the ControlNET Cyberattack

The ramifications of this breach extend beyond ControlNET with operations disrupted and data compromised for the organization. However, the claims for this cyberattack on ControlNET have not been verified. The hacker group’s post on the dark web shed light on their motives, citing ControlNET's alleged negligence in safeguarding customer data.  [caption id="attachment_76431" align="alignnone" width="1357"] Source: Dark Web[/caption] “This company has taken very poor care of the data entrusted to them by its customers. In the course of a successful attack, we stole a huge amount of data. We also attacked the clients of this company ROCKFORD SCHOOL. Which we have access to thanks to CONTROL NET”, reads the threat actor post.  The leaked information highlights the urgent need for enhanced cybersecurity measures, particularly in industries like construction and education, where sensitive data is at stake.

Who is the INC Ransom Hacker Group?

The Cyber Express has reached out to the organization to learn more about this ControlNET cyberattack and the authenticity of the claims made by the threat actor. However, at the time of writing this, no official statement or response has been received, leaving the claims for the cyberattack on ControlNET unverified.  Moreover, the company's website appears to be operational, suggesting that the attack may have targeted the backend infrastructure rather than the front-end interface. The threat actor in this attack, INC Ransom, is a ransomware group that emerged in August 2023, employing double and triple extortion tactics on victims, leaking data on their blog. Victims, mainly from Western countries, face threats and coercion during negotiations, with evidence packs published to pressure payment. The group's leaked blog includes light and dark UI options, a feedback box, and a Twitter link. While similar to LockBit 3.0's blog, INC Ransom does not charge for leaked data. Victims, spanning private sector businesses, a government organization, and a charity association, hail mostly from the United States and Europe, emphasizing the widespread impact of this cyber threat. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.