Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks. Qlik Sense supports multiple data sources and allows users to create custom data reports or interactive visualizations that can serve in decision making processes. In late August, the vendor released security updates for two critical vulnerabilities affecting the Windows version of the platform. One of the vulnerabilities, a path traversal bug tracked as CVE-2023-41266, could be exploited to generate anonymous sessions and perform HTTP requests to unauthorized endpoints. The second issue, tracked as CVE-2023-41265 and with a critical severity of 9.8, does not require authentication and can be leveraged to elevate privileges and execute HTTP requests on the backend server that hosts the application. On September 20, Qlik discovered that the fix for CVE-2023-41265 was insufficient provided a new update, tracking the issue as a separate vulnerability identified as CVE-2023-48365. In a recent report, cybersecurity company Arctic Wolf warns of Cactus ransomware actively exploiting these flaws on publicly-exposed Qlik Sense instances that remain unpatched. The Cactus ransomware attacks that Arctic Wolf observed exploit the security issues to execute code that causes the Qlik Sense Scheduler service to initiate new processes. The attackers execute multiple discovery commands with the output redirected into. TTF files, which Artic Wolf researchers believe is for obtaining command output via path traversal. The threat actor also used various methods to remain hidden and to gather information, such as uninstalling Sophos antivirus, changing the administrator password, and establishing an RDP tunnel using the Plink command-line connection tool. In the final stage of the attack, the hackers deployed the Cactus ransomware on the breached systems. Additional evidence collected by Arctic Wolf's analysts suggests that the threat actors used RDP to move laterally, WizTree to anlayze disk space, and rclone to exfiltrate data. The use of these tools and techniques are consistent with what researchers observed in previous Cactus ransomware attacks. Cactus ransomware emerged in March this year and adopted the double-extortion tactic, stealing data from victims and then encrypting it on compromised systems. In past attacks, they exploited Fortinet VPN flaws for initial network access. Researchers at Kroll in a report in May set the ransomware operation apart due to the use of the encryption to protect the malware binary from being detected by security products. The researchers also highlighted the use of AnyDesk remote desktop application, the rclone tool to send stolen data to cloud storage services, and the use of batch scripts to uninstall security products. LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed. Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks. HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks. CISA warns of actively exploited Windows, Sophos, and Oracle bugs. Hackers use Citrix Bleed flaw in attacks on govt networks worldwide.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 20:24:55 +0000