Advisory Overview:
We are aware of a potential cyber attack against Sandhills Global. Many of their services are currently offline. This is a developing situation and we will update as we know more. In the meantime, exercise caution with any digital communication from Sandhills.
Technical detail and additional information
What is the threat?
On October 1st, many of the Sandhills services went offline in what is being reported by clients as a cyber attack (possibly ransomware) against Sandhills’ infrastructure. These clients were supposedly made aware via calls from their Sandhills representatives.
We are seeing dealer websites hosted by Sandhills as returning “503 Service Unavailable” messages, Sandhills corporate sites not responding, and dealer hosted Exchange email services not available as well.
Others have reported that phone services into Sandhills are also impacted.
So far, this has all been limited information as there does not appear to be an official report made thus far by Sandhills.
Why is this noteworthy?
Many equipment dealers rely on Sandhills to host their email services, their websites, portals and many other business impacting services. Depending on the depth of this issue, there is A) business impacts as a result of not being able to access these resources and B) potential impact if the dealers’ information hosted by Sandhills is in fact accessed by malicious threat actors.
This has a ripple affect across construction and agriculture industries.
What is the exposure or risk?
While this is a developing situation and many details are still unknown, there are two potential risks to be aware of.
The first risk is downtime and degradation of business operations for impacted dealerships.
The second risk is if threat actors have access to dealer data or email accounts, which could include internal information, client/customer information, usernames and passwords, etc.
What are the recommendations?
The current recommendations are:
- First, be patient with the Sandhills team. This type of event is what keeps those of us in the IT industry awake at night. You never want this to happen to yourself and you surely never wish it on others. It is very likely that Sandhills is working at full capacity to remedy this situation and protect their clients. It is possible that communication on this issue may be slow to be shared (this can be for legal reasons and also to keep threat actors out of the loop). Show an extra measure of grace during this time.
- You and members of your team are highly encouraged to update any passwords that you may have in use.
- Enable two-factor authentication for any and all online services you and your team utilize. Most online accounts are associated with your email address and can be reset by anyone that has access to your email account. If threat actors have access to this information, this puts you at risk. Enable (and demand) two-factor authentication for all your online accounts so that someone cannot access your accounts with just a username (usually your email address) and your password (which they might be able to reset).
- Exercise caution when receiving any electronic communication from Sandhills systems. For the moment, if threat actors have access, it is possible that they could send malicious communications to Sandhills customers.
References:
There are very little resources currently about this situation. Here’s what we have found thus far:
- NewAgTalk Forums:
- Getting Trucked Blog: Sandhills Global Under Ransom (gettingtrucked.com)
If you have any questions, contact us today.
