Ransomware Attack on Carnival May Have Been Its Second Compromise This Year

“To lose one [lot of data] may be regarded as a misfortune; to lose both looks like carelessness.”…:

Cruise operator Carnival Corp., which announced a major ransomware attack on its systems this week, may have experienced at least one more — so far undisclosed — network compromise earlier this year.

According to data from Prevailion, a security vendor that tracks command-and-control activity across the Internet, Carnival’s network was likely compromised from at least February through early June.

During that period, an IP address belonging to Carnival was observed regularly communicating with command-and-control (C2) servers outside the company. The rogue beaconing activity was especially high between April 11 and June 5 before subsiding.

Over the duration of the apparent compromise, Prevailion says it observed at least 46,000 attempted connections from the Carnival IP address to the C2 servers. The security vendor identified the activity as associated with Ramnit, a malware that started off as a banking Trojan but more recently has been observed being used to steal credentials as well.

[…]

Read the original article here