Cactus ransomware exploiting Qlik Sense flaws to breach networks

Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks. Qlik Sense supports multiple data sources and allows users to create custom data reports or interactive visualizations that can serve in decision making processes. In late August, the vendor released security updates for two critical vulnerabilities affecting the Windows version of the platform. One of the vulnerabilities, a path traversal bug tracked as CVE-2023-41266, could be exploited to generate anonymous sessions and perform HTTP requests to unauthorized endpoints. The second issue, tracked as CVE-2023-41265 and with a critical severity of 9.8, does not require authentication and can be leveraged to elevate privileges and execute HTTP requests on the backend server that hosts the application. On September 20, Qlik discovered that the fix for CVE-2023-41265 was insufficient provided a new update, tracking the issue as a separate vulnerability identified as CVE-2023-48365. In a recent report, cybersecurity company Arctic Wolf warns of Cactus ransomware actively exploiting these flaws on publicly-exposed Qlik Sense instances that remain unpatched. The Cactus ransomware attacks that Arctic Wolf observed exploit the security issues to execute code that causes the Qlik Sense Scheduler service to initiate new processes. The attackers execute multiple discovery commands with the output redirected into. TTF files, which Artic Wolf researchers believe is for obtaining command output via path traversal. The threat actor also used various methods to remain hidden and to gather information, such as uninstalling Sophos antivirus, changing the administrator password, and establishing an RDP tunnel using the Plink command-line connection tool. In the final stage of the attack, the hackers deployed the Cactus ransomware on the breached systems. Additional evidence collected by Arctic Wolf's analysts suggests that the threat actors used RDP to move laterally, WizTree to anlayze disk space, and rclone to exfiltrate data. The use of these tools and techniques are consistent with what researchers observed in previous Cactus ransomware attacks. Cactus ransomware emerged in March this year and adopted the double-extortion tactic, stealing data from victims and then encrypting it on compromised systems. In past attacks, they exploited Fortinet VPN flaws for initial network access. Researchers at Kroll in a report in May set the ransomware operation apart due to the use of the encryption to protect the malware binary from being detected by security products. The researchers also highlighted the use of AnyDesk remote desktop application, the rclone tool to send stolen data to cloud storage services, and the use of batch scripts to uninstall security products. LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed. Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks. HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks. CISA warns of actively exploited Windows, Sophos, and Oracle bugs. Hackers use Citrix Bleed flaw in attacks on govt networks worldwide.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 20:24:55 +0000


Cyber News related to Cactus ransomware exploiting Qlik Sense flaws to breach networks

Cactus ransomware exploiting Qlik Sense flaws to breach networks - Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks. Qlik Sense supports multiple data sources and allows users to create custom data reports or ...
10 months ago Bleepingcomputer.com
Qlik Sense Vulnerabilities Exploited in Ransomware Attacks - Three vulnerabilities affecting a product of business analytics firm Qlik have likely been exploited in ransomware attacks, according to security operations firm Arctic Wolf. The cybersecurity company has reported seeing attacks that appear to ...
10 months ago Packetstormsecurity.com
The Week in Ransomware - An international law enforcement operation claims to have dismantled a ransomware affiliate operation in Ukraine, which was responsible for attacks on organizations in 71 countries. The threat actors are said to be affiliates of numerous ransomware ...
10 months ago Bleepingcomputer.com
The Qlik Cyber Attack: Why SSPM Is a Must Have for CISOs - On November 28 2023, Arctic Wolf Labs reported on a new Cactus ransomware campaign which exploits publicly-exposed installations of Qlik Sense, a cloud analytics and business intelligence platform. With a breach like Qlik, the first question that ...
10 months ago Securityboulevard.com
Cold storage giant Americold discloses data breach after April malware attack - Cold storage and logistics giant Americold has confirmed that over 129,000 employees and their dependents had their personal information stolen in an April attack, later claimed by Cactus ransomware. Americold employs 17,000 people worldwide and ...
9 months ago Bleepingcomputer.com
VX-Underground malware collective framed by Phobos ransomware - A new Phobos ransomware variant frames the popular VX-Underground malware-sharing collective, indicating the group is behind attacks using the encryptor. Phobos launched in 2018 in what is believed to be a ransomware-as-a-service derived from the ...
10 months ago Bleepingcomputer.com
Prudential Financial data breach impacted over 2.5M individuals - Prudential Financial data breach impacted over 2.5 million individuals. Keytronic confirms data breach after ransomware attack. ABN Amro discloses data breach following an attack on a third-party provider. Christie disclosed a data breach after a ...
3 months ago Securityaffairs.com
Infosys McCamish Systems data breach impacted over 6M people - MUST READ. Infosys McCamish Systems data breach impacted over 6 million people. Keytronic confirms data breach after ransomware attack. City of Cleveland still working to fully restore systems impacted by a cyber attack. ABN Amro discloses data ...
3 months ago Securityaffairs.com
Evolve Bank data breach impacted fintech firms Wise and Affirm - MUST READ. Evolve Bank data breach impacted fintech firms Wise and Affirm. Keytronic confirms data breach after ransomware attack. ABN Amro discloses data breach following an attack on a third-party provider. Christie disclosed a data breach after a ...
3 months ago Securityaffairs.com
Microsoft issues alert on Cactus Ransomware spreading through DanaBOT Ransomware - Microsoft, the prominent American technology giant, has issued a cautionary alert regarding the proliferation of Cactus ransomware attacks disguised as the Danabot malvertising campaign. The primary goal of this malicious activity is to pilfer ...
10 months ago Cybersecurity-insiders.com
Ticketmaster confirms data breach impacting 560 million customers - MUST READ. Ticketmaster confirms data breach impacting 560 million customers. ABN Amro discloses data breach following an attack on a third-party provider. Christie disclosed a data breach after a RansomHub attack. OmniVision disclosed a data breach ...
4 months ago Securityaffairs.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
Tech Security Year in Review - In this Tech Security Year in Review for 2023, let's look into the top data breaches of the past year. Each factor contributes to the growing threatscape, demanding a proactive and adaptable cybersecurity approach to safeguard your organization ...
9 months ago Securityboulevard.com
Data Breach Response: A Step-by-Step Guide - In today's interconnected world, organizations must be prepared to respond swiftly and effectively in the face of a data breach. To navigate these challenges, a well-defined and comprehensive data breach response plan is essential. Let's explore the ...
7 months ago Securityzap.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
8 months ago Securityboulevard.com
Christie disclosed a data breach after RansomHub attack - MUST READ. Christie disclosed a data breach after a RansomHub attack. OmniVision disclosed a data breach after the 2023 Cactus ransomware attack. City of Wichita disclosed a data breach after the recent ransomware attack. Australian Firstmac Limited ...
4 months ago Securityaffairs.com
Cactus ransomware claim to steal 1.5TB of Schneider Electric data - The Cactus ransomware gang claims they stole 1.5TB of data from Schneider Electric after breaching the company's network last month. 25MB of allegedly stolen were also leaked on the operation's dark web leak site today as proof of the threat actor's ...
7 months ago Bleepingcomputer.com
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
4 months ago Bleepingcomputer.com
Palo Alto Networks and IBM to Jointly Provide AI-Powered Security Offerings - PRESS RELEASE. SANTA CLARA, Calif. and ARMONK, N.Y., May 15, 2024 /PRNewswire/ - Palo Alto Networks, the global cybersecurity leader, and IBM, a leading provider of hybrid cloud and AI, today announced a broad-reaching partnership to deliver ...
4 months ago Darkreading.com
CISA adds Qlik bugs to exploited vulnerabilities catalog - Two vulnerabilities affecting a popular data analytics tool were added to the Cybersecurity and Infrastructure Security Agency's list of exploited bugs this week. On Thursday, CISA added CVE-2023-41265 and CVE-2023-41266 to its catalog, giving ...
9 months ago Therecord.media
Twisted Spider's Dangerous CACTUS Ransomware Attack - In a sophisticated cyber campaign, the group Twisted Spider, also recognized as Storm-0216, has joined forces with the cybercriminal faction Storm-1044. Employing a strategic method, they target specific endpoints through the deployment of an initial ...
9 months ago Cysecurity.news
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
8 months ago Unit42.paloaltonetworks.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
7 months ago Malwarebytes.com
The Week in Ransomware - Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks. While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to ...
8 months ago Bleepingcomputer.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
9 months ago Feeds.fortinet.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)