Carnival Corporation & PLC is the largest cruise line operator in the world. In 2019, Carnival pulled in a record revenue of $20.8 billion. Even with the troubles of 2020, this makes them a significant target for attackers looking to earn a profit. On 15 August 2020, Carnival Corp & PLC detected a ransomware attack that encrypted a portion of one brand’s IT systems. Attackers not only encrypted the data, but also downloaded certain files indicating some data was stolen. In their SEC filings, the company states, “we expect that the security event included unauthorised access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies. ”
Carnival has yet to disclose the name of the ransomware which targeted the company. However - using Red Sky Alliance collections - analysts noticed a recent spike in external malicious activity related to the company. This was right before the current attack. Our collection showed a spike in indicators of compromise (IoCs) for the company around the 1st of August, specifically malicious email indicators.
Some researchers speculate that attackers could have breached the company through the Citrix ADC (NetScaler) CVE-2019-19781 vulnerability. Others believe that CVE-2020-2021 could have been leveraged to gain unnoticed access to company’s networks. Carnival has neither confirmed nor denied this.
Observed are externally collected IoCs which may identify some of the malicious activity that could have resulted in an activation of ransomware on the Carnival network. As an example, the most recent activity observed by Red Sky Alliance analysts shows a malicious email being sent from one employee to another.
How did this happen?
Initially an employee, who identifies himself as ‘general counsel,’ received an email and attachment claiming that the employee had a pending VM (voicemail) message on 3 August 2020. The Carnival employee then forwarded the malicious attachment to an employee identifying himself as a [Caribbean Country] Coordinator and asked if the voicemail was legitimate. It is likely that the general counsel employee inadvertently passed malware to the other employee. Because Red Sky Alliance does not have access to any internal data for the company, analysts are unable to determine if this attempted attack was successful. Notably the same general counsel employee has breach data as far back as May 2017. This may indicate that attackers were inside their network as far back as 2017.
In the past 30 days, there are over a dozen breached accounts for Carnival published online. Also observed, are multiple historical indicators of compromise over the past few years. In some cases, attackers gain access to a network and remain there undetected for a while before executing their attack.
Red Sky Alliance has observed more than breach data being exposed for the company. For example, at the end of 2019, a phishing link was observed containing a Human Resources (HR) email address for the company. Over the course of 2019, there were 8 other phishing links observed containing Carnival email addresses. This highlights the need for maritime cyber risk management.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks.
Dryad Global and partners Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
• Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941