Arctic Wolf cybersecurity researchers have recently discovered a new CACTUS ransomware campaign that targets the Qlik Sense platform. This marks the first known instance of CACTUS ransomware exploiting vulnerabilities in Qlik Sense [2] [4], showcasing a higher level of sophistication in ransomware tactics [5].
Description
The attackers behind this campaign are taking advantage of three disclosed security flaws in Qlik Sense. These vulnerabilities include a privilege elevation vulnerability and a path traversal vulnerability [2]. While Qlik Sense released security patches for two critical vulnerabilities in August [1], one of the fixes proved to be inadequate, leading to the release of a new update in September. Threat actors are actively exploiting these vulnerabilities to gain initial access to targeted environments.
The attacks involve the abuse of the Qlik Sense Scheduler service to download additional tools [3], establish persistence [2] [3], and set up remote control [3]. The attackers download tools such as ManageEngine UEMS, AnyDesk [1] [2], and Plink to enable remote control [2]. They also uninstall security software [2], change admin passwords [1] [2], and create RDP tunnels [2]. Ultimately, the attacks culminate in the deployment of CACTUS ransomware and the exfiltration of data via rclone [2].
To mitigate the risks associated with this campaign, it is crucial to upgrade to the latest versions of Qlik Sense Enterprise for Windows. It is worth noting that CACTUS ransomware has previously exploited Fortinet VPN flaws and employs encryption to evade detection. Additionally, the ransomware operation utilizes the AnyDesk remote desktop application and batch scripts to uninstall security products [1].
Conclusion
The discovery of this CACTUS ransomware campaign targeting Qlik Sense highlights the evolving sophistication of ransomware tactics. Organizations using Qlik Sense should promptly upgrade to the latest versions to protect against these vulnerabilities. Furthermore, the use of encryption and remote control tools by the attackers underscores the need for robust security measures. As ransomware attacks continue to evolve, it is crucial for organizations to stay vigilant and implement comprehensive security strategies to mitigate future risks.
References
[1] https://vulnera.com/newswire/cactus-ransomware-targets-qlik-sense-vulnerabilities-to-infiltrate-networks/
[2] https://xynik.com/index.php/2023/11/30/cactus-ransomware-exploits-qlik-sense-vulnerabilities-in-targeted-attacks/
[3] https://ciso2ciso.com/cactus-ransomware-exploits-qlik-sense-vulnerabilities-in-targeted-attacks-sourcethehackernews-com/
[4] https://cyber.vumetric.com/security-news/2023/11/30/cactus-ransomware-exploits-qlik-sense-vulnerabilities-in-targeted-attacks/
[5] https://sensorstechforum.com/cactus-ransomware-qlik-sense-cve-2023-41265/