There’s evidence of a CACTUS ransomware campaign exploiting recently revealed security vulnerabilities in Qlik Sense, a cloud analytics and business intelligence platform. This exploitation serves as a means to gain access to targeted environments.
The cybersecurity firm has documented incidents wherein attackers seem to leverage CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365 for initial access. Subsequently, these attackers endeavor to deploy Cactus ransomware on systems that have been compromised.
Praetorian uncovered the vulnerabilities, revealing their details in August and September, shortly after Qlik released patches to address them.
Qlik Sense Vulnerabilities
CVE-2023-41265 denotes an HTTP tunneling vulnerability capable of elevating privileges and executing HTTP requests on backend servers that host repository applications.
When these two vulnerabilities are exploited together, a remote, unauthenticated hacker could execute arbitrary code and introduce new admin users to the Qlik Sense application.
The assignment of CVE-2023-48365 occurred as Praetorian researchers successfully bypassed the patch implemented for CVE-2023-41265.
While Qlik’s advisories presently state that there is no evidence of in-the-wild exploitation for these vulnerabilities, Arctic Wolf asserts that they have observed attacks that seemingly exploit the vulnerabilities for remote code execution.
Upon securing initial access to the targeted organization’s systems, the cybercriminals were seen executing various actions, including uninstalling security software, altering admin account passwords, installing remote access software, employing RDP for lateral movement, and exfiltrating data. In certain instances, the attackers also made attempts to deploy Cactus ransomware.
“Based on significant overlaps observed in all intrusions, we attribute all of the described attacks to the same threat actor responsible for the deployment of Cactus ransomware,” stated Arctic Wolf.
With a purported customer base exceeding 40,000, Qlik’s products become particularly lucrative targets for hackers due to the extensive user reach.
Operating since March 2023, the Cactus ransomware has actively pursued various major organizations. These cybercriminals are recognized for exploiting vulnerabilities in VPN appliances as a means of gaining initial access.
Indicators of Compromise
| Indicator | Type | Context |
|---|---|---|
| 45.61.147[.]176 | IP Address | ManageEngine Server IP for zohoservice[.]net |
| 216.107.136[.]46 | IP Address | ManageEngine Server Hosting payload over HTTP |
| 144.172.122[.]30 | IP Address | ManageEngine Server Hosting payload over HTTP |
| zohoservice[.]net | Domain Name | Hosting payload over HTTP |
| http://zohoservice[.]net/putty.zip | URL | Renamed PuTTY Link (Plink) |
| http://216.107.136[.]46/Qliksens_update.zip | URL | Renamed ManageEngine UEMS |
| http://216.107.136[.]46/Qliksens_updated.zip | URL | Renamed ManageEngine UEMS |
| http://zohoservice[.]net/qlik-sens-Patch.zip | URL | Renamed ManageEngine UEMS |
| http://zohoservice[.]net/qlik-sens-nov.zip | URL | Renamed ManageEngine UEMS |
| C:\Users\Public\svchost.exe | File path | Renamed Rclone |
| c:\windows\temp\file.exe | File path | Renamed AnyDesk |
| c:\windows\temp\putty.exe | File path | Renamed PuTTY Link (Plink) |
| c:\windows\temp\Qliksens.exe | File path | Renamed ManageEngine UEMS |
| c:\windows\temp\any.exe | File path | Renamed AnyDesk Installer |
| C:\temp\putty.exe | File path | Renamed PuTTY Link (Plink) |
| C:\Windows\appcompat\AcRes.exe | File path | Renamed ManageEngine UEMS |
| file.exe | Filename | Renamed AnyDesk Installer |
Leave A Comment