BlackSuit Inside Auto Dealerships

12672491899?profile=RESIZE_400xA hack into software maker CDK Global has disrupted operations at auto dealerships across the US, the latest in a series of hacks where ransom-demanding cybercriminals target big companies by breaching behind-the-scenes software suppliers.  CDK makes software that is commonly used by car dealerships to process sales and other transactions.  Considering the hack, many dealers have started processing transactions manually, according to local press reports.[1]

Here is more about BlackSuit, the hacking group analysts say is behind the CDK hack: Not much is known about the group, but it emerged in May 2023.  Analysts say it is a relatively new cybercriminal team and a spinoff of an older well-known Russia-linked hacking group named RoyalLocker.  RoyalLocker traditionally hacked American companies and was a formidable hacker group borne out of another prolific gang named Conti.  Royal was likely the third most persistent ransomware group after LockBit and ALPHV, according to trusted analysts.

Yet, BlackSuit is not as aggressive as the others.  The number of victims it lists on its data leak site suggests it does not have as many hacking partners as larger ransomware gangs, said Kimberly Goody, head of cybercrime analysis at Mandiant Intelligence.  “The majority of BlackSuit victims have been overwhelmingly based in the US, followed by the UK and Canada and span a wide range of sectors,” she said.  It has breached at least 95 organizations globally, according to the security firm Recorded Future.  “The real number of BlackSuit victims is likely much higher,” the firm said by email.

These were mostly American organizations in areas such as industrial goods and education, according to a blog last month by the security firm ReliaQuest.  “We have seen Russian-speaking threat actors affiliated with BlackSuit soliciting partnerships in underground forums to provide access to companies, as recently as last week,” said Goody.

How does BlackSuit operate?  BlackSuit is known to carry out “double extortion,” which in cyber terms means it steals a victim organization’s sensitive data, locks up its systems, and also threatens to leak information.  Mandiant’s Goody said BlackSuit had provided hacking infrastructure to other smaller partner groups of cybercriminals known as "affiliates."  BlackSuit provided extortion-related support to its partners, including resources to harass victims or down their websites to pressure them into paying.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Our services can help detect cyber threats and vulnerabilities.     For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://www.reuters.com/technology/cybersecurity/blacksuit-hacker-behind-cdk-global-attack-hitting-us-car-dealers-2024-06-27/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Resources

 

CASE STUDIES