The widely used Qlik Sense data analytics solution has a vulnerability that the Cactus ransomware group quickly exploited for their campaigns.
Qlik Sense, known for its flexibility in supporting multiple data sources and offering custom data reports and visualisations, has become a primary target for cybercriminal operations. A few months ago, the platform’s vendor addressed two critical vulnerabilities in the Windows version through security updates.
The first vulnerability tracked as CVE-2023-41266, could enable the generation of anonymous sessions and unauthorised HTTP requests, exploiting a path traversal bug. The second one is CVE-2023-41265, with a severity rating of 9.8, which could allow unauthorised parties with privilege elevation process and execution of HTTP requests without authentication.
However, these security measures are insufficient since Qlik Sense discovered the CVE-2023-41265 update was inadequate, prompting them to release a subsequent update and a new identification, CVE-2023-48365.
The Cactus ransomware group has taken advantage of the insufficient updates of Qlik Sense.
The Cactus ransomware group has exploited these vulnerabilities on publicly exposed, unpatched Qlik Sense instances. According to investigations, the modus operandi of the Cactus ransomware attacks leverages the Qlik Sense flaws and utilises code execution to initiate processes within the Qlik Sense Scheduler service.
These attackers also employ PowerShell and the Background Intelligent Transfer Service (BITS) to establish persistence and deploy remote access tools. The tools included in these campaigns are disguised ManageEngine UEMS executables, legitimate AnyDesk software, and a Plink binary renamed “putty.exe.”
Furthermore, threat actors execute discovery commands to remain hidden from security defences, redirecting output into .TTF files through path traversal. They have also employed techniques such as uninstalling Sophos antivirus, altering admin passwords, and establishing Remote Desktop Protocol (RDP) tunnels to increase the complexity of their ability to evade detection.
Finally, the Cactus ransomware has adopted a double-extortion tactic, stealing, and encrypting victims’ data. This escalation in TTPs by the Cactus ransomware group shows the urgent need for organisations to promptly apply security patches and adopt robust cybersecurity measures to protect their networks from evolving threats.
Admins and users should immediately use newly released updates to address vulnerabilities and prevent exploitation.
