Incident Overview

A threat actor going by bytetobreach claims to have breached Viking Line, a major Finnish ferry transportation company operating in the Baltic Sea. The actor says they have extracted a complete database of traveler personal information, including vehicle registration plates, and has made the data available for free download with multiple backup links.

A second complementary database was also compiled through the NetAxept payment API, which is used by companies for processing payments at onboard restaurants and services during ferry journeys. The actor says this database correlates passenger identities with transaction data from all Viking Line ships. The actor notes that a routine check on the passenger data shows above-average wealth profiles, mentioning a Finnish filmmaker found among the first entries as an example.

The threat actor also detailed the attack chain used to gain access: exploiting a Solr LFI vulnerability dating back to 2021 to grab Tomcat credentials, uploading a reverse shell via JSP, then using the same Tomcat credentials to pivot to the master server, followed by abuse of the NetAxept payment integration. The listing includes redacted database links, LFI paths, initial foothold details, frontend/backend access, and system accounts.