Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense for initial access.

Qlik Sense is a data discovery and analytics platform that allows you to visualize and analyze data from various sources. It has a modern interface, a relational analytics engine, and advanced artificial intelligence.

Cactus Ransomware

Cactus is ransomware that encrypts data, provides a ransom note (” cAcTuS.readme.txt “), and appends the. “CTS1 ” extension to filenames.

Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Try StorageGuard for Free

They exploit via the combination or direct abuse of (CVE-2023-41266, CVE-2023-41265). Reported by Articwolf.

CVE-2023-41266 Path traversal in Qlik Sense Enterprise for Windows. The severity range is high(8.2). An unauthenticated, remote attacker generates an anonymous session, which allows them to perform HTTP requests to unauthorized endpoints. 

CVE-2023-41265 HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows, severity range is critical (9.6). Allowing them to execute HTTP requests on the backend server hosting the repository application. 

Notably, the code was consistent between all intrusions identified and involved the Qlik Sense Scheduler service (Scheduler.exe), spawning uncommon processes.

The threat actors downloaded more tools to ensure remote control and persistence via PowerShell and the Background Intelligent Transfer Service (BITS). These tools included:

• Renamed ManageEngine UEMS executables that appear to be Qlik files but have a ZIP extension. After being downloaded and used for quiet installation, these files underwent another renaming.
• AnyDesk downloaded directly from anydesk.com
• A Plink (PuTTY Link) binary, downloaded and renamed to putty.exe

Also, the threat actors observed:

• Use msiexec to uninstall Sophos via its GUID
• Change the administrator account password
• Establish an RDP tunnel via Plink

The evidence of these actors include:

• Used RDP for lateral movement
• Downloaded WizTree disk space analyzer
• Leveraged rclone (renamed as svchost.exe) for data exfiltration

Further technical data will be provided when available, but the incident response (IR) investigation is still underway.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.