CACTUS Qlik Ransomware: Vulnerabilities Exploited
A cyberattack campaign dubbed the CACTUS Qlik Ransomware has become prominent in ransomware attacks on BI systems. Researchers have warned of threat actors exploiting three Qlik security vulnerabilities to target different organizations and enterprises. Let’s dive into how threat actors have managed to exploit such vulnerabilities and the countermeasures being taken by Qlik.
Details Of The CACTUS Qlik Ransomware
Qlik Sense is a cloud-based data analytics and business intelligence (BI) platform often used by government organizations. CACTUS, on the other hand, is a ransomware strain discovered earlier this year in May. CACTUS ransomware tactics at the time revolved around leveraging known VPN appliance flaws to gain initial access.
Although reports of the CACTUS ransomware first surfaced in May 2023, the exploits have been traced back to March. CACTUS hacker group strategies were primarily centered around stealing unencrypted sensitive data prior to encryption and then using double extortion tactics.
Researchers at Arctic Wolf have recently discovered the CACTUS threat actors exploiting Qlik security vulnerabilities. Three CVEs used for exploits have been identified. It is believed that after gaining initial access, threat actors behind CACTUS use multiple tactics that include:
- Uninstalling security software.
- Changing administrative logins.
- Installing remote access software.
- Deploying Remote Desktop Protocol (RDP) for lateral movement.
- Acquiring data and deploying the ransomware.
However, as per Qlik, there is no evidence of the vulnerabilities being exploited by threat actors. A statement from the data analytics platform reads, “While our initial advisories did not indicate evidence of malicious exploitation, we are diligently investigating these new reports.”
Qlik Security Vulnerabilities Exploited By Threat Actors
Reports have mentioned three vulnerabilities disclosed over the past three months being exploited. These vulnerabilities include:
- CVE-2023-41265 – this is an HTTP request tunneling vulnerability with a severity rating of 9.9. This vulnerability, if exploited, allows a threat actor to elevate their privileges. Furthermore, it enables cybercriminals to send requests executed by the backend server.
- CVE-2023-41266 – with a severity score of 6.5, this path transversal vulnerability can be exploited by a remote attacker allowing them to send HTTP requests to unauthorized endpoints
- CVE-2023-48365 – a remote code execution vulnerability with a severity score of 9.9 that becomes prevalent due to inaccurate validation of HTTP headers and leads to privilege escalation via HTTP request tunneling.
Both CVE-2023-41265 and CVE-2023-41266 were discovered in August, and a patch was released in the following month. However, the patch being incomplete is what led to CVE-2023-48365.
CACTUS Hacker Group Strategies Used During The Attack
Threat actors, after the initial exploitation, are believed to have used PowerShell and the Background Intelligent Transfer Service (BITS) to carry out the attack. They used the tools mentioned below to build persistence within the network and control the system remotely.
- AnyDesk remote solution.
- A PuTTY link which was renamed to “putty.exe.”
- ManageEngine UMES for renaming executables that posed as Qlik files.
To breach Qlik Sense security measures, attackers then uninstalled the Sophos’ endpoint security solution changing the admin password. From this point onwards, the PuTTY link was used to set up an RDP to conduct lateral movements within the network.
CACTUS attackers then used WizTree to analyze the disk space and rclone, renamed “svchost.exe” for acquiring data, and later deployed the ransomware to some systems that had been affected.
Qlik Sense Counter Measures
Further technical details, as per Arctic Wolf, will be made available upon conclusion of the incident response investigation. Researchers have currently stated that “Based on significant overlaps observed in all intrusions, we attribute all of the described attacks to the same threat actor, which was responsible for deployment of Cactus ransomware.”
Qlik, on the other hand, has released patches in both August and September and has urged customers to upgrade Qlik Sense Enterprise for Windows. Commenting on the recent exploits, the organization has stated, “We strongly recommend that all customers verify they have applied these patches. Qlik remains dedicated to safeguarding our systems and will provide further information as it becomes available.”
It’s worth mentioning that Qlik claims to serve 40,000 customers making such vulnerability paramount in value to threat actors. The CACTUS Qlik ransomware attack serves as a stark reminder towards strategies of cybersecurity for data visualization and analytics softwares operating worldwide.
Researchers have observed vulnerabilities in Qlik Sense solutions being exploited by threat actors aiming to deploy the CACTUS ransomware. The activities of the hackers behind this ransomware and its strains can be traced back to March 2023.
These attackers gain authorized access, set up remote control, acquire data via lateral movements, and deploy ransomware. The severity and potential negative implications of these events necessitate the need for proactive cybersecurity measures for organizations worldwide.