Threat Watch

Carnival Cruise Line Ransomware Attack

Carnival Corporation, the world’s largest cruise line operator, has confirmed that they were the victim of a ransomware attack that involved the theft of personal information of customers, employees, and ship crewmembers. The ransomware took place on August 15th of this year and a notice was filed with the Securities and Exchange Commission (SEC) two days later on August 17th. Carnival made a statement that only one of its nine brands was affected in the attack and that “the security event included unauthorized access of personal data of guests and employees.” Cybersecurity firm Bad Packets discovered several potential points of initial compromise that the attackers may have used to enter the Carnivals network. The two main points of possible entry that were found, CVE-2019-19781 and CVE-2020-2021, are vulnerabilities in Internet-facing servers Citrix ADC and Palo Alto PAN-OS that can be used as steppingstones by ransomware gangs to breach corporate networks, allowing them to move laterally and collecting credentials needed to access admin accounts on the servers. 

ANALYST NOTES

Network defenders and IT professionals need to ensure that security patches are installed in a timely manner after they are made available. Very few threat groups can afford to pay for exploits against completely unknown vulnerabilities (known as 0-day attacks) but soon after any security patch is made available, security researchers and threat actors alike are quick to reverse-engineer the patch and create an exploit for the vulnerability. It is only when companies fail to patch their systems quickly that these “1-day” attacks succeed, and yet they are often used to devastating effect. Even after the patch is applied, it is important to review access logs to determine whether attackers may have compromised passwords before the systems were patched. Attackers with valid passwords can come back later to log in, even after the servers have been patched. Following attacks such as these, all users affected should verify that all passwords should be changed to more complex passwords that include special characters, numbers, and case-sensitive letters. Passwords should also be unique to the login so that they cannot be used in other attacks. Customers of Carnival Cruise Lines need to monitor their credit reports and consider a credit freeze to prevent attackers from misusing stolen personal information for fraud.

Source Article: https://www.bleepingcomputer.com/news/security/largest-cruise-line-operator-carnival-confirms-ransomware-data-theft/