Qlik Sense flaws exploited in Cactus ransomware campaign

Attackers are exploiting three critical vulnerabilities in internet-facing Qlik Sense instances to deliver Cactus ransomware to target organizations, Arctic Wolf researchers have warned.

The exploited vulnerabilities

Qlik Sense is a business intelligence and data analytics solution popular with governmental organizations and enterprises.

Attackers wielding Cactus ransomware have previously been seen breaching large commercial organizations by exploiting vulnerabilities in VPN appliances. The group also engages in double-extortion tactics.

“Based on patch level Qlik Sense is likely being exploited either via the combination or direct abuse of CVE-2023-41266, CVE-2023-41265 or potentially CVE-2023-48365 to achieve code execution,” Arctic Wolf Labs researchers shared.

CVE-2023-41266 is a path traversal vulnerability that could allow an attacker to generate an anonymous session through malicious HTTP requests and send further requests to unauthorized endpoints.

CVE-2023-41265 is an HTTP tunnelling vulnerability that could elevate attacker’s privileges to execute HTTP requests on the hosting backend server.

CVE-2023-48365 has been issued later, as the fix for CVE-2023-41265 could be bypassed by modifying the HTTP request.

“The Qlik Sense vulns were discovered in August and September by Praetorian, an InfoSec vendor – unfortunately they published a full exploit chain, which the ransomware group has lifted wholesale,” security researcher Kevin Beaumont noted.

The attack

After a successful exploitation, the attackers leveraged PowerShell and the Background Intelligent Transfer Service (BITS) to download the following tools that allow them to gain persistence and remotely control the system:

• Renamed ManageEngine UEMS executables posing as Qlik files
• The AnyDesk remote solution, pulled from the official site
• A Plink (PuTTY Link) binary renamed to putty.exe

The attackers also uninstalled Sophos’ endpoint security solution, changed the admin password, set up an RDP tunnel via Plink and used it for lateral movement, analyzed disk space with WizTree and used rclone (renamed as svchost.exe) to exfiltrate data. Finally, they managed to deploy Cactus ransomware to some of the affected systems.

“Based on significant overlaps observed in all intrusions we attribute all of the described attacks to the same threat actor,” the researchers concluded.

Beaumont says that he has seen another ransomware group exploiting Qlik Sense. “Currently it is a very low number of attacks so you might want to patch,” he added.

Patches are available

Qlik has released the patches in August and September and customers are urged to upgrade Qlik Sense Enterprise for Windows to the following versions:

• August 2023 Patch 2
• May 2023 Patch 6
• February 2023 Patch 10
• November 2022 Patch 12
• August 2022 Patch 14
• May 2022 Patch 16
• February 2022 Patch 15
• November 2021 Patch 17