<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

CDK Global Incident | June 2024

CDK Global Incident Overview

 

 

Corvus will NEVER call you to ask for access to your systems.  If you receive any calls purporting to be from Corvus and asking for access to your system, they are social engineering calls.

If you receive such a call, please contact us at services@corvusinsurance.com

 

Vulnerability Update

On Saturday, June 22, 2024, the CDK Global incident hotline referred to the incident as a cyber ransom event following reports by Bloomberg of the same. This cyber ransom event has been attributed to BlackSuit ransomware. At this time, CDK Global reports that is has begun the restoration process. CDK Global anticipates the restoration will take several days, not weeks, for the major application to resume functionality.

Background Information

On or about June 18, 2024, CDK Global suffered a cyber security incident that led them to disconnect their systems and infrastructure, resulting in a lack of service to their customers. While no details are known about the incident at this time, CDK Global has reportedly contacted their customers and advised that the “Always-on VPN'' be disabled, as it has administrative permissions for the purpose of updates.

CDK Global’s hotline has also reported instances of threat actors contacting dealerships while purporting to be CDK Global employees. Threat actors are conducting social engineering, attempting to gain direct access to dealership systems and records. CDK Global stated that they will not be contacting any customers to obtain any alternative access or credentials.

Next steps for auto dealerships that use CDK Global software:

We encourage your organization to take the following steps to mitigate against potential attack:

  1. Disable the always-on VPN used to connect to CDK Global services.
  2. Closely follow all updates from CDK Global and wait for them to communicate that it is safe to enable the always-on VPN connectivity.
  3. Threat actors are contacting dealerships purporting to be CDK employees to social engineer their way into customer systems.  Exercise extreme caution when being contacted about software updates and access.
    1. Please inform your employees that the risk of company phishing and social engineering is incredibly high at this moment.

    2. Verify directly with CDK Global through your own initiated and trusted contact details if any needs arise.

Actions Taken by Corvus

  • Corvus has sent two alerts to all of our auto dealer policyholders to encourage proactive measures to prevent additional harm or business loss.
    • The Corvus Risk Advisory Team will continue to communicate with policyholders regarding questions or concerns.

  • The Corvus Claims Team is actively responding to all potential notices of loss, working directly through the claims process with our policyholders.

Timeline of the Incident

  • On Tuesday evening, CDK Global—which provides SaaS-based CRM, payroll, finance and other functions to 15,000 dealerships—reportedly became aware that it was under attack.
  • While CDK was working to recover from the first attack, the company was struck by a second attack late on Wednesday evening, according to media reports.
    • “We are sorry to inform you that we experienced an additional cyber incident late in the evening on June 19th,” reads a message to CDK customers posted Thursday on X.

  • According to the message posted on X, the latest attack prompted CDK to shut down its systems for a second time.
    • “Out of continued caution and to protect our customers, we are once again proactively shutting down most of our systems,” the message posted Thursday reads.

  • In a message to TechCrunch, a CDK spokesperson confirmed Thursday that the company has shut down “most” of its systems.
    • According to the message posted Thursday on X, CDK has been “assessing the overall impact and consulting with external 3rd party experts.”

      “At this time, we do not have an estimated time frame for resolution and therefore our dealers' systems will not be available at a minimum on Thursday, June 20th,” the message reads.

      “We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible,” the CDK spokesperson said in a statement shared with TechCrunch.

  • As of early Friday morning, June 21, 2024, the CDK Global hotline stated that there is no "estimated time frame for resolution and therefore our dealer systems will not be available likely for several days."
  • Saturday evening, June 22, 2024, the CDK Global incident hotline referred to the incident as a cyber ransom event. CDK Global estimated that the restoration process would take several days, as opposed to weeks, for the major application to function.

CDK Global set up toll-free lines at +1 (855) 356-3270 (English) and +1 (877) 483-7817 (French) for updates.

Recent Articles

Q2 Cyber Threat Report: Ransomware Season Arrives Early


In this report, our threat intel team highlights our critical cyber threat and ransomware findings from Q2 2024 and what it means for the threat landscape.

Global IT Meltdown: CrowdStrike Software Update Causes Broad Outages


On July 19, 2024, the world woke up to a massive IT outage caused by cybersecurity firm CrowdStrike that affected numerous industries across the globe.

Navigating Third-Party Risk: A Key Component for Business Resilience


The Corvus claims team has observed an increasing trend of third-party breaches. Find out how to help prevent third-party risk in this short cyber blog.