Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label BlackSuit. Show all posts
CyberThreat
BlackSuit Cyber Attacks Cyber Software CyberCrime Cyberhackers Cybersecurity CyberThreat

CDK Cyberattack Traced to BlackSuit Hackers: U.S. Auto Industry Under Siege

 


Cybercriminals have carried out a series of hacks targeting big companies by breaking into the back ends of their software suppliers, disrupting operations at auto dealerships all over the U.S. This is the latest in a wide-ranging series that targets big companies through the breaching of back-end companies. Dealers commonly use this software system to process sales and other operations, such as purchase orders, in the dealership world. Various reports in local media indicate that many dealers have started processing transactions manually as a result of the hack, which occurred last week. 

According to CDK Global, which provides software to roughly 15,000 car dealerships in North America, the company is anticipating that all 14 dealerships will be up and running by late evening Wednesday or early morning Thursday as a result of the hack. The software of CDK was compromised by two cyberattacks that forced the company's systems to be taken down for days, which resulted in delays in the scheduling of services, repairs, part deliveries, and the purchase of cars at dealerships in both the United States and Canada. 

Customers were notified by the Illinois-based company on June 24 that the disruptions might last until the end of the month since it was signalling that they could persist for a while. In the days following CDK's discovery of the breach and shutdown of systems on June 19, chaos has engulfed dealerships around the country. As an example of CDK's core product, it is a suite of software tools called a dealership management system that underpins almost every aspect of the day-to-day operations of dealerships. 

The shutdown of the system resulted in an industry that experienced $1.2 trillion in U.S. sales last year being affected and necessary repairs being disrupted as a result. As a result of these disruptions, sales are also expected to suffer just before the end of the quarter. A lot is unknown about the organization, but it appears that it emerged in May of 2023. Analysts believe that this was a relatively new cybercrime team that spun off from a well-established hacker group with Russian ties called RoyalLocker, which was older and well-known. 

A formidable hacking gang originating from the Conti gang, RoyalLocker mostly targeted American companies over the ages with sophistication compared to the other prolific attacks. Based on the data gathered by analysts, Royal was thought to rank third among the most persistent ransomware groups behind LockBit and ALPHV. The company's aggressiveness compared to the other three is not as high as BlackSuit's. Kimberly Goody, the head of cybersecurity analysis at Mandiant Intelligence, has said she has found that the number of victims listed on this site indicates that it does not have as many hacking partners as larger ransomware gangs do, based on the number of victims listed on the site. 

The cyberattack on CDK Global that has paralyzed car sales across the U.S. is believed to have been carried out by hackers called BlackSuit, according to a threat analyst for Recorded Future Inc. Allan Liska, the firm's threat analyst. Bloomberg News previously reported that the gang had requested tens of millions of dollars in ransom for the disruptions to end, and CDK was committed to making the payment, at least according to Bloomberg News. In recent decades, there has been a significant amount of consolidation within the sector that has led to a small number of companies that provide 'dealership management systems' for auto sellers. 

 The recent cyberattack on U.S. car dealerships, facilitated through CDK's services, underscores the increasing vulnerability of thousands of retail outlets. These dealerships heavily rely on CDK for essential operations such as financing, insurance management, vehicle, and parts inventory, as well as sales and repair processes. According to a 2023 report by CDK, cybercriminal activity targeting car dealerships is on the rise, with 17% of 175 surveyed dealers reporting incidents within the past year—a notable increase from the previous year's 15%. Of those affected, 46% cited significant financial or operational setbacks due to cyberattacks. 

Dealerships have become prime targets due to the substantial volumes of sensitive customer data they store. From credit applications to financial records, these establishments possess a wealth of valuable information coveted by hackers, as highlighted in a 2023 article by Zurich North America. The group known as BlackSuit has emerged as a prominent threat, employing tactics such as "double extortion," where stolen data is used to coerce victims into paying a ransom. 

According to Mandiant's findings, BlackSuit operates an infrastructure supporting affiliated cybercriminal groups, aiding extortion activities, and exerting pressure on victims through various means, including website disruptions. As the frequency and sophistication of cyber threats continue to escalate, the vulnerability of car dealerships to such attacks underscores the urgent need for enhanced cybersecurity measures across the automotive industry. Efforts to safeguard sensitive customer information and maintain operational continuity are paramount in mitigating the impact of cyber incidents on these critical businesses.
Read more »
Ransowmare
BlackSuit CDK Global Cyber Attacks Cyberattack Data Theft Kadokawa Ransowmare

Cyberattack by BlackSuit Targets Kadokawa and CDK Global

In early June, Kadokawa's video-sharing platform Niconico experienced a server outage, which has now been claimed by the Russia-linked hacker group BlackSuit. This group, a rebrand of the Royal ransomware operation and linked to the defunct Conti cybercrime syndicate, has issued a threat on the dark web to release 1.5 terabytes of sensitive data, including signed documents, contracts, legal statements, and emails, unless a ransom is paid by July 1, 2024. 

Details of the Attack on Kadokawa: 

Kadokawa first acknowledged the cyberattack in early June, which disrupted multiple websites and services. Despite efforts by Kadokawa's IT department, BlackSuit reportedly managed to steal 1.5 terabytes of sensitive data, including business plans, user data, contracts, and financial records. The hackers exploited vulnerabilities in Kadokawa’s network, gaining access to a control center that allowed them to encrypt the entire network, affecting subsidiaries like Dwango and NicoNico. Kadokawa has assured customers that no credit card information was compromised, as it was not stored on their system. 

The company is prioritizing the restoration of accounting functions and normalizing manufacturing and distribution in its publication business, with expected results by early July. Although the production of new publications remains steady, the shipment of existing publications is currently at one-third of normal levels. Kadokawa is implementing alternative arrangements, including increasing human resources, to mitigate the impact. 

In the Web Services business, all Niconico family services are still suspended, but provisional services like Niconico Video (Re: tmp) and Niconico Live Streaming (Re: tmp) have been provided. Existing services such as Niconico Manga smartphone version and NicoFT have resumed. The Merchandise business has seen limited impact, with shipping functions operating normally. However, the failure of Kadokawa’s account authentication function has prevented users from logging into certain online shops. Temporary pages have been created for affected users, and Kadokawa will keep providing updates regarding this issue. 

Impact on CDK Global: 

BlackSuit is also believed to be behind ongoing outages at CDK Global, a software provider for approximately 15,000 North American car dealerships. Several major U.S. auto dealers, including AutoNation, Group 1 Automotive, Penske Automotive Group, Sonic Automotive, and Lithia Motors, have reported disruptions in their services due to the cyberattack. As a result, many dealerships have had to revert to pen and paper for managing auto repairs, closing new car sales, and conducting other business. 

CDK attempted to restore its systems but was hit with a second cyberattack, causing them to shut down all systems again. The company has yet to acknowledge that the attack is a result of ransomware, but an incident like this could take weeks to recover from. Even after operations return to normal, CDK will have to investigate what data was stolen, how the attack happened, and the impact on its customers. 

Allan Liska, a ransomware analyst at Recorded Future, mentioned that the CDK attack has been attributed to BlackSuit in hacker forums and private chat channels. Malicious cybercriminal gangs are known to boast about their schemes on these platforms. While CDK is not yet listed on BlackSuit's dark web site, indicating ongoing negotiations, Bloomberg reported that the hackers are asking for a ransom in the tens of millions of dollars.
Read more »
Ransomware
BlackSuit CISA FBI malware Ransomware

From Code to Chaos: BlackSuit Ransomware and The CDK Global Cyber Crisis


In recent days, the automotive industry has been hit by a significant IT outage that has disrupted operations for car dealerships across North America. The culprit? The notorious BlackSuit ransomware gang. In this blog post, we’ll delve into the details of the attack, its impact, and what it means for CDK Global and its customers.

The Incident

According to people familiar with the situation, the BlackSuit ransomware gang is responsible for CDK Global's significant IT failure and interruption to car dealerships throughout North America.

The conversations follow the BlackSuit ransomware assault, which led CDK to lock down its IT infrastructure and data centers, including its car dealership platform, to prevent the attack from spreading. The company attempted to restore services on Wednesday, but a second cybersecurity attack forced it to shut down all IT systems again.

The Attack

CDK Global, a leading provider of technology solutions for auto dealerships, found itself in the crosshairs of cybercriminals

While the company has yet to officially confirm the ransomware attack, multiple sources indicate that BlackSuit is behind the incident. The attack likely exploited vulnerabilities in CDK’s systems, leading to widespread disruption.

Impact on Dealerships

Two of the largest public car dealership companies, Penske Automotive Group and Sonic Automotive, disclosed that they, too, were impacted by the outages.

The fallout from the CDK Global outage has been substantial. Car dealerships rely heavily on CDK’s software for inventory management, sales, and customer service. 

With the systems down, dealers have had to resort to manual processes, including pen-and-paper record-keeping. Imagine the chaos in a busy dealership trying to manage sales, service appointments, and parts inventory without their usual digital tools.

Data Theft Concerns

Beyond the immediate operational challenges, there are serious concerns about data theft. Ransomware attacks often involve stealing sensitive information before encrypting files and demanding a ransom.

CDK Global must now investigate whether customer data, financial records, or other critical information has been compromised. The potential fallout from such a breach could be long-lasting and damaging.

Response and Recovery

In November 2023, the FBI and CISA published in a joint advisory that Royal and BlackSuit's encryptors use similar strategies and have coding overlaps.

CDK Global’s response to the attack is crucial. They need to assess the extent of the breach, restore systems, and enhance security measures. Communication with affected dealerships is equally important. Dealers need transparency about the situation, timelines for resolution, and guidance on how to navigate the outage.

Read more »
Royal Ransomware
Advisory BlackSuit BleepingComputer CISA Cyber Attacks FBI ransomware attacks Ransomware group Royal Ransomware

FBI and CISA Reveals: ‘Royal’ Ransomware Group Targeted 350 Victims for $275 Million


In a joint advisory, the FBI and CISA have revealed a network breach conducted by the ‘Royal ransomware gang’ that has targeted nearly 350 organizations globally since 2022. 

Giving further details of the original advisory published in March, in the information acquired during the FBI investigation, the agencies noted that the ransomware campaign was connected to ransom demands totalling more than $275 million.

"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads.

"Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors."

In March, the two agencies shared their initial indicators of an apparent compromise, along with a list of tactics, methods, and procedures (TTPs), in order to assist defenders in identifying and thwarting attempts to deploy Royal ransomware payloads onto their networks.

The Department of Health and Human Services (HHS) security team discovered in December 2022 that the ransomware operation was responsible for several attacks against U.S. healthcare organizations. This led to the release of the joint advisory.

Royal to BlackSuit

The advisory update also states that BlackSuit ransomware shares several coding traits with Royal, suggesting that Royal may be planning a rebranding campaign and/or a spinoff variation.

While it was anticipated that the Royal ransomware operation would rebrand in May, during the course of the BlackSuit ransomware operation, the rebranding never happened. 

According to a report published by BleepingCompter in June, the Royal ransomware gang was apparently testing a new BlackSuit encryptor, similar to the operation’s conventional encryptor. 

At the time, Partner and Head of Research and Development at RedSense – Yelisey Bohuslavskiy believed that this experiment did not in fact go well.

However, since then, Royal was able to rebrand into BlackSuit and restructure into a more centralized business, following the same blueprint as Team 2 (Conti2) when they were a member of the Conti syndicate.

"In September 2023, Royal accomplished a full rebrand into BlackSuit, most likely entirely dismantling their Royal infrastructure. Moreover, according to the primary source intel, Royal has also accomplished a broader reorganization during the rebrand, making the group structure more corporate and more similar to their Conti2 origins," said Yelisey Bohuslavskiy.  

Read more »
Royal Ransomware
BlackSuit Cyber Security cyber theft Ransomware Gang Royal Ransomware

Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal

A new encryptor named BlackSuit is currently being tested by the notorious Royal ransomware gang. This encryptor bears striking resemblances to their customary encryption tool, suggesting it may be an evolved version or a closely related variant. 

In January 2023, the Royal ransomware gang emerged as the direct successor to the infamous Conti operation, which ceased its activities in June 2022. This private ransomware group consists of skilled pentesters and affiliates hailing from 'Conti Team 1,' as well as individuals recruited from various other ransomware gangs that target enterprises. 

Since its inception, Royal Ransomware has quickly gained notoriety as one of the most active and prolific operations, carrying out numerous high-profile attacks on enterprises. Furthermore, starting from late April, there have been growing indications that the Royal ransomware operation has been contemplating a rebranding effort under a fresh identity. 

This notion gained significant momentum when the group encountered intensified scrutiny from law enforcement following their targeted attack on the City of Dallas, Texas. Feeling the mounting pressure from authorities, the ransomware group has seemingly considered the necessity of adopting a new name, potentially as part of their strategy to evade detection and evade the repercussions of their illicit activities. 

In May, a distinct ransomware operation known as BlackSuit emerged, employing its unique encryptor and Tor negotiation sites. Speculation arose suggesting that this could be the rebranded version of the Royal ransomware group as initially anticipated. However, contrary to expectations, the Royal ransomware gang has not undergone a rebranding process and continues its active assault on enterprise targets. 

While BlackSuit has been employed in a limited number of attacks, the overall identity and operations of the Royal ransomware group remain unchanged. The notion of a rebranding for the Royal ransomware group appears to have lost its viability, given the recent findings presented in a report by Trend Micro. 

The report highlights significant resemblances between the encryptors used by BlackSuit and the Royal Ransomware, rendering it challenging to persuade anyone that they are distinct and unrelated entities. Consequently, attempting to present themselves as a new ransomware operation would likely face considerable skepticism due to these noticeable similarities. 

The resemblances between BlackSuit and Royal Ransomware go beyond surface-level similarities. In-depth analysis, as outlined in the Trend Micro report, reveals a range of shared characteristics. These include similarities in command line arguments, code structures, file exclusion patterns, and even intermittent encryption techniques. 

Such consistent parallels across various aspects make it increasingly difficult to present BlackSuit as a genuinely distinct ransomware operation separate from the Royal group. These findings strongly suggest a strong connection or shared origin between the two entities.
Read more »
Subscribe to: Posts (Atom)