Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
Vulnerabilities in the business platform allow you to increase privileges and infect systems without being noticed.
Information security company Arctic Wolf has discovered a ransomware campaign by the CACTUS group that exploits recently discovered vulnerabilities in the Qlik Sense business intelligence platform to penetrate target environments. The campaign marks the first documented instance in which attackers who deployed the CACTUS ransomware exploited vulnerabilities in Qlik Sense for initial access.
Arctic Wolf, which responds to "several cases" of Qlik Sense exploitation, noted that the attacks probably use 3 vulnerabilities that were discovered in the last 3 months:
It is worth noting that CVE-2023-48365 is the result of an incomplete patch for CVE-2023-41265, which along with CVE-2023-41266 was disclosed by Praetorian in late August 2023. The CVE-2023-48365 patch was released on September 20, 2023.
In the attacks observed by Arctic Wolf, after successful exploitation of flaws, the Qlik Sense Scheduler service is abused to start processes designed to load additional tools in order to establish persistence and configure remote management. This includes ManageEngine Unified Endpoint Management and Security (UEMS), AnyDesk, and Plink.
Cybercriminals were also seen deleting Sophos software, changing the password of the administrator account, and creating an RDP tunnel through Plink. The chain of attacks ends with the introduction of the CACTUS ransomware program, while the attackers also use rclone to steal data.
Previously, the CACTUS group penetrated victims networks through vulnerabilities in Fortinet VPN equipment, first encrypting its file to avoid detection. Extortionists demand millions of dollars from their victims for decrypting data, and also threaten to merge everything into open access.
What sets CACTUS apart from other operations is the use of encryption to protect the ransomware binary. The attacker uses a batch script to obtain the cryptographer's binary file using 7-Zip. The original ZIP archive is then deleted, and the binary file is deployed with a specific flag that allows it to be executed. Experts believe that this is done to prevent detection of a ransomware cryptographer.
Information security company Arctic Wolf has discovered a ransomware campaign by the CACTUS group that exploits recently discovered vulnerabilities in the Qlik Sense business intelligence platform to penetrate target environments. The campaign marks the first documented instance in which attackers who deployed the CACTUS ransomware exploited vulnerabilities in Qlik Sense for initial access.
Arctic Wolf, which responds to "several cases" of Qlik Sense exploitation, noted that the attacks probably use 3 vulnerabilities that were discovered in the last 3 months:
- CVE-2023-41265 (CVSS: 9.9) is an HTTP Request Tunneling vulnerability that allows a remote attacker to increase their privileges and send requests that are executed by an internal server hosting the repository application.
- CVE-2023-41266 (CVSS: 6.5) — a path Traversal vulnerability that allows an unauthenticated remote attacker to send HTTP requests to unauthorized endpoints;
- CVE-2023-48365 (CVSS: 9.9) is a non — authenticated Remote Code Execution (RCE) vulnerability that occurs due to incorrect verification of HTTP headers and allows a remote attacker to increase their privileges by tunneling HTTP requests.
It is worth noting that CVE-2023-48365 is the result of an incomplete patch for CVE-2023-41265, which along with CVE-2023-41266 was disclosed by Praetorian in late August 2023. The CVE-2023-48365 patch was released on September 20, 2023.
In the attacks observed by Arctic Wolf, after successful exploitation of flaws, the Qlik Sense Scheduler service is abused to start processes designed to load additional tools in order to establish persistence and configure remote management. This includes ManageEngine Unified Endpoint Management and Security (UEMS), AnyDesk, and Plink.
Cybercriminals were also seen deleting Sophos software, changing the password of the administrator account, and creating an RDP tunnel through Plink. The chain of attacks ends with the introduction of the CACTUS ransomware program, while the attackers also use rclone to steal data.
Previously, the CACTUS group penetrated victims networks through vulnerabilities in Fortinet VPN equipment, first encrypting its file to avoid detection. Extortionists demand millions of dollars from their victims for decrypting data, and also threaten to merge everything into open access.
What sets CACTUS apart from other operations is the use of encryption to protect the ransomware binary. The attacker uses a batch script to obtain the cryptographer's binary file using 7-Zip. The original ZIP archive is then deleted, and the binary file is deployed with a specific flag that allows it to be executed. Experts believe that this is done to prevent detection of a ransomware cryptographer.
