Friday, March 1, 2024

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense for initial access.

Qlik Sense is a data discovery and analytics platform that allows you to visualize and analyze data from various sources. It has a modern interface, a relational analytics engine, and advanced artificial intelligence.

Cactus Ransomware

Cactus is ransomware that encrypts data, provides a ransom note (” cAcTuS.readme.txt “), and appends the. “CTS1 ” extension to filenames.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

They exploit via the combination or direct abuse of (CVE-2023-41266, CVE-2023-41265). Reported by Articwolf.

CVE-2023-41266 Path traversal in Qlik Sense Enterprise for Windows. The severity range is high(8.2). An unauthenticated, remote attacker generates an anonymous session, which allows them to perform HTTP requests to unauthorized endpoints. 

CVE-2023-41265 HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows, severity range is critical (9.6). Allowing them to execute HTTP requests on the backend server hosting the repository application. 

Notably, the code was consistent between all intrusions identified and involved the Qlik Sense Scheduler service (Scheduler.exe), spawning uncommon processes.

Cactus Ransomware

The threat actors downloaded more tools to ensure remote control and persistence via PowerShell and the Background Intelligent Transfer Service (BITS). These tools included:

  • Renamed ManageEngine UEMS executables that appear to be Qlik files but have a ZIP extension. After being downloaded and used for quiet installation, these files underwent another renaming.
  • AnyDesk downloaded directly from anydesk.com
  • A Plink (PuTTY Link) binary, downloaded and renamed to putty.exe

Also, the threat actors observed:

  • Use msiexec to uninstall Sophos via its GUID
  • Change the administrator account password
  • Establish an RDP tunnel via Plink

The evidence of these actors include:

  • Used RDP for lateral movement
  • Downloaded WizTree disk space analyzer 
  • Leveraged rclone (renamed as svchost.exe) for data exfiltration

Further technical data will be provided when available, but the incident response (IR) investigation is still underway.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Website

Latest articles

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...

Hackers Hijack Anycubic 3D Printers to Display Warning Messages

Anycubic 3D printer owners have been caught off guard by a series of unauthorized...

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles