Saturday, May 18, 2024

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense for initial access.

Qlik Sense is a data discovery and analytics platform that allows you to visualize and analyze data from various sources. It has a modern interface, a relational analytics engine, and advanced artificial intelligence.

Cactus Ransomware

Cactus is ransomware that encrypts data, provides a ransom note (” cAcTuS.readme.txt “), and appends the. “CTS1 ” extension to filenames.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

They exploit via the combination or direct abuse of (CVE-2023-41266, CVE-2023-41265). Reported by Articwolf.

CVE-2023-41266 Path traversal in Qlik Sense Enterprise for Windows. The severity range is high(8.2). An unauthenticated, remote attacker generates an anonymous session, which allows them to perform HTTP requests to unauthorized endpoints. 

CVE-2023-41265 HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows, severity range is critical (9.6). Allowing them to execute HTTP requests on the backend server hosting the repository application. 

Notably, the code was consistent between all intrusions identified and involved the Qlik Sense Scheduler service (Scheduler.exe), spawning uncommon processes.

Cactus Ransomware

The threat actors downloaded more tools to ensure remote control and persistence via PowerShell and the Background Intelligent Transfer Service (BITS). These tools included:

  • Renamed ManageEngine UEMS executables that appear to be Qlik files but have a ZIP extension. After being downloaded and used for quiet installation, these files underwent another renaming.
  • AnyDesk downloaded directly from anydesk.com
  • A Plink (PuTTY Link) binary, downloaded and renamed to putty.exe

Also, the threat actors observed:

  • Use msiexec to uninstall Sophos via its GUID
  • Change the administrator account password
  • Establish an RDP tunnel via Plink

The evidence of these actors include:

  • Used RDP for lateral movement
  • Downloaded WizTree disk space analyzer 
  • Leveraged rclone (renamed as svchost.exe) for data exfiltration

Further technical data will be provided when available, but the incident response (IR) investigation is still underway.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Website

Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles