Cactus Ransomware Exploiting Qlik Servers Vulnerability

The Cactus ransomware gang has been exploiting vulnerable Qlik sense servers ever since November 2023 using multiple vulnerabilities such as CVE-2023-41266 (Path Traversal), CVE-2023-41265 (HTTP request Tunneling) and CVE-2023-48365 (Unauthenticated Remote Code Execution).

Though Qlik has addressed these vulnerabilities with multiple security advisories, thousands of servers remain vulnerable to exploitation.

QlikSense is a data visualization and business intelligence tool that can help businesses perform data analysis and other operations.

Technical Analysis

Statistical Threat Reports

According to reports from Cyber Security News, threat actors were targeting these QlikSense servers with software vulnerabilities and misleading victims with cooked-up stories. 

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Nevertheless, the reports from Shadowserver indicate that there are 5,200+ internet-exposed Qlik servers, among which 3,100+ are vulnerable to exploitation by the Cactus group.

241 systems were discovered in the Netherlands alone, and the threat actors have already compromised 6 of them.

Identifying the list of servers and compromised servers involved multiple research steps. 

Identifying The Vulnerable Qlik Sense Servers

An existing Nuclei template is available, which can be used to identify vulnerable QlikSense servers exposed on the Internet.

However, the researchers used the “product-info.json” file to find vulnerable servers. 

This file includes several details about the server, such as the release label and version numbers, which could reveal the exact version of the QlikSense server running.

Further, the release label parameter includes information such as “February 2022 Patch 3” that states that the last update was provided to the Qlik sense server and the relevant advisory.

To retrieve this information from the product-info.json file, the below cURL command can be used.

curl -H "Host: localhost" -vk 'https:///resources/autogenerated/product-info.json?.ttf'

The .ttf (True Type Font file) is used in the command to point the request to a .ttf file. Font files can be accessed unauthenticated on Qlik sense servers, and the “Host:localhost” is used to bypass the HTTP response to 400 bad requests. 

In a patched server, the server will return “302 Authenticate at this location” in the response, whereas a vulnerable server will reveal the information of the file with a 200 OK response.

Furthermore, a 302 response or a release label parameter from the Qlik server with content containing “November 2023” is considered a non-vulnerable server.

How To Find Compromised Qlik Sense Servers

As Arctic Wolf explains, the Cactus ransomware group redirects the commands’ output to a TTF file named qle.ttf.

The threat group also used the qle.woff file in some instances. Moreover, these exploit files can be accessed without authentication.

When checking for these particular kinds of files, it was revealed that there are around 122 servers, of which the United States has the highest number, 49, followed by 13 servers in Spain, 11 servers in Italy, 8 servers in the UK, 7 servers in Germany and Ireland, and 6 servers in the Netherlands.

It is recommended that organizations and users of QlikSense servers upgrade to the latest versions per the security advisories to prevent threat actors from exploiting these vulnerabilities.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo