Updates on the CDK cyberattack
Your OOO email is ready. Your bag is packed. You can taste the ocean air already.
But as you packed your toiletries bag, did you remember your cyber hygiene? Updating your passwords probably didn’t make the pre-vacation to-do list — but considering 86% of breaches involve the use of stolen credentials — maybe it should. Bonus: A password manager will always fit in your carry-on. But before vacation hits, keep reading for the latest cybersecurity news and tips.
![[BANNER] Risk Advisory Tips](https://4476289.fs1.hubspotusercontent-na1.net/hub/4476289/hubfs/ra_tips_100height%20(1).webp?upscale=true&upscale=true&width=688&height=115&name=ra_tips_100height%20(1).webp)
Last week, CDK Global — a cloud-based software provider for car dealerships — disconnected their systems and infrastructure following a ransomware attack “out of an abundance of caution” and advised customers to disable their “Always-on VPN.” Many impacted dealerships are experiencing significant disruptions to their business operations and are manually handling payments and paperwork.
As of Wednesday, the CDK Global Hotline stated that while restoration is progressing, the core application will not be live for all dealers by June 30, 2024. CDK Global advised via their incident hotline that if customers “need to make alternate plans for [the] month-end financial close process, [they] should do so."
Risk Advisory in action: When the incident was reported on Wednesday, we sent our Auto Dealership policyholders an alert with remediation steps and guidance. Over the weekend, our Risk Advisory and Claims teams worked hands-on with organizations experiencing operational delays due to the shutdown to walk them through the claims process.
The Risk Advisory team has advised auto dealer policyholders on disabling CDK’s Always-On VPN to mitigate future downstream risk as CDK completes its investigation.
⏰ High social engineering risk: Unsurprisingly, threat actors are looking to leverage a high-stress situation for their own personal gain. Dealerships have reported being contacted by “CDK employees” with “software updates” — a guise for cybercriminals to access downstream customers’ systems. If any needs arise, verify information through trusted contact at CDK Global.
What’s next? Corvus will continue to monitor the situation and update policyholders with any actionable next steps.
We want your feedback: With your input, we can continue to improve the Risk Prevention experience for organizations like yours. Complete the survey below to be entered to receive a complementary Tabletop Planning and Exercise session with our cybersecurity experts.
Complete the Survey
![[BANNER] Threat Intel Corner](https://4476289.fs1.hubspotusercontent-na1.net/hub/4476289/hubfs/threat_intel_corner_100height%20(1).webp?upscale=true&upscale=true&width=688&height=115&name=threat_intel_corner_100height%20(1).webp)
The Corvus Threat Intel team has flagged an old trick with a new look that involves threat actors overwhelming users with spam emails. (Think of it like a denial-of-service attack on your inbox). The emails are typically not malicious, just newsletter sign-up confirmations from legitimate organizations, but they’re not reliably caught by spam filters, leaving the user to deal with hundreds, if not thousands, of emails in their inbox.
Why it’s concerning: After overloading a user’s inbox, threat actors then impersonate a member of an organization’s IT team to “offer solutions” — with the ultimate goal of tricking impacted users into granting them remote access to their system to support troubleshooting. While no cases of email bombing have led to ransomware deployment (yet), Rapid7 suggests that the present indicators of compromise tie the social engineering campaign with Black Basta operators.
Be wary: Email bombs have hidden additional fraudulent activity, such as Apple Store orders, retail store purchases, and airline bookings.
Preventive measures:
-
Block unapproved remote monitoring and management solutions from executing in your environment
-
Establish a multi-step identity verification process to prevent cybercriminals from successfully impersonating users
-
Raise awareness of red flags with employee security awareness training
-
Monitor your financial accounts and credit for signs of unauthorized activity.
![[BANNER] Threat Alerts](https://4476289.fs1.hubspotusercontent-na1.net/hub/4476289/hubfs/threat_alerts_100height%20(2).webp?upscale=true&upscale=true&width=688&height=115&name=threat_alerts_100height%20(2).webp)
The Corvus Scan is a powerful asset that helps us identify which policyholders may be at greater risk for vulnerabilities. In response, we send tailored, time-sensitive notifications with direct guidance for remediation.
Monthly round-up of our alerts and threat intel updates:
MOVEit Vulnerabilities
New security flaws have been reported in the MOVEit file transfer solution, which companies often use to transfer sensitive files securely. The flaws allow a remote, unauthenticated attacker to gain unauthorized access to the system. Threat actors are actively exploiting this vulnerability, and ransomware gangs have a history of quickly capitalizing on these types of vulnerabilities. It is critical that impacted organizations take action immediately.
Potential Impact
The flaws affect:
- MOVEit Gateway:
- 2024.0.0.
- MOVEit Transfer:
- from 2023.0.0 before 2023.0.11
- from 2023.1.0 before 2023.1.6
- from 2024.0.0 before 2024.0.2
Attackers can exploit these vulnerabilities to gain unauthorized access to vulnerable systems. There are already reports of exploitation taking place in the wild. Corvus has observed ransomware groups exploit similar vulnerabilities in file transfer software to steal and encrypt sensitive data. Security updates are available and should be applied as soon as possible.