Qlik Sense Vulnerabilities Exploited in Ransomware Attacks

Qlik Sense Vulnerabilities Exploited in Ransomware Attacks

There’s evidence of a CACTUS ransomware campaign exploiting recently revealed security vulnerabilities in Qlik Sense, a cloud analytics and business intelligence platform. This exploitation serves as a means to gain access to targeted environments.

The cybersecurity firm has documented incidents wherein attackers seem to leverage CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365 for initial access. Subsequently, these attackers endeavor to deploy Cactus ransomware on systems that have been compromised.

Praetorian uncovered the vulnerabilities, revealing their details in August and September, shortly after Qlik released patches to address them.

Qlik Sense Vulnerabilities

CVE-2023-41265 denotes an HTTP tunneling vulnerability capable of elevating privileges and executing HTTP requests on backend servers that host repository applications.

When these two vulnerabilities are exploited together, a remote, unauthenticated hacker could execute arbitrary code and introduce new admin users to the Qlik Sense application.

The assignment of CVE-2023-48365 occurred as Praetorian researchers successfully bypassed the patch implemented for CVE-2023-41265.

While Qlik’s advisories presently state that there is no evidence of in-the-wild exploitation for these vulnerabilities, Arctic Wolf asserts that they have observed attacks that seemingly exploit the vulnerabilities for remote code execution.

Upon securing initial access to the targeted organization’s systems, the cybercriminals were seen executing various actions, including uninstalling security software, altering admin account passwords, installing remote access software, employing RDP for lateral movement, and exfiltrating data. In certain instances, the attackers also made attempts to deploy Cactus ransomware.

“​​Based on significant overlaps observed in all intrusions, we attribute all of the described attacks to the same threat actor responsible for the deployment of Cactus ransomware,” stated Arctic Wolf.

With a purported customer base exceeding 40,000, Qlik’s products become particularly lucrative targets for hackers due to the extensive user reach.

Operating since March 2023, the Cactus ransomware has actively pursued various major organizations. These cybercriminals are recognized for exploiting vulnerabilities in VPN appliances as a means of gaining initial access.

Indicators of Compromise

45.61.147[.]176IP AddressManageEngine Server
IP for zohoservice[.]net
216.107.136[.]46IP AddressManageEngine Server
Hosting payload over HTTP
144.172.122[.]30IP AddressManageEngine Server
Hosting payload over HTTP
zohoservice[.]netDomain NameHosting payload over HTTP
http://zohoservice[.]net/putty.zipURLRenamed PuTTY Link (Plink)
http://216.107.136[.]46/Qliksens_update.zipURLRenamed ManageEngine UEMS
http://216.107.136[.]46/Qliksens_updated.zipURLRenamed ManageEngine UEMS
http://zohoservice[.]net/qlik-sens-Patch.zipURLRenamed ManageEngine UEMS
http://zohoservice[.]net/qlik-sens-nov.zipURLRenamed ManageEngine UEMS
C:\Users\Public\svchost.exeFile pathRenamed Rclone
c:\windows\temp\file.exeFile pathRenamed AnyDesk
c:\windows\temp\putty.exeFile pathRenamed PuTTY Link (Plink)
c:\windows\temp\Qliksens.exeFile pathRenamed ManageEngine UEMS
c:\windows\temp\any.exeFile pathRenamed AnyDesk Installer
C:\temp\putty.exeFile pathRenamed PuTTY Link (Plink)
C:\Windows\appcompat\AcRes.exeFile pathRenamed ManageEngine UEMS
file.exeFilenameRenamed AnyDesk Installer

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!