Carnival Corporation, the world’s largest cruise line operator, disclosed a ransomware attack affecting one of its brands in a filing with the Securities and Exchange Commission (SEC) yesterday. The filing mentions that the attack, discovered on August 15th, successfully encrypted and stole data from one of their brand’s IT systems. Possibly referencing an earlier data breach this year, Carnival also notes that the stolen data, “could lead to claims from guests, employees, shareholders or regulatory agencies.” Twitter user @bad_packets found that Carnival had multiple NetScaler devices still vulnerable to CVE-2019-19781 which could allow an attacker access to the internal network if successfully exploited. @bad_packets also mentioned finding Palo Alto Networks firewall devices vulnerable to CVE-2020-2021 which could allow remote, unauthenticated attackers to bypass authentication.
Analyst Notes
Appliances with vulnerabilities like those highlighted by @bad_packets should be patched as soon as possible. Instructions for NetScaler can be found here, and instructions for Palo Alto firewalls can be found here. If patching is not possible for some time, vendors often release temporary mitigations in the security advisory as well. Both vulnerabilities now have updates available that mitigate the issue without the need for workarounds, and these workarounds should not be used for long.
Sources: https://www.bleepingcomputer.com/news/security/worlds-largest-cruise-line-operator-carnival-hit-by-ransomware/
https://www.documentcloud.org/documents/7038711-Carnival-8K-Other-Events-CCL-17-Aug-20.html
https://support.citrix.com/article/CTX267027
https://security.paloaltonetworks.com/CVE-2020-2021
https://twitter.com/bad_packets/status/1295475963430486016
