Qlik Sense Vulnerabilities Exploited in Ransomware Attacks

Three vulnerabilities affecting a product of business analytics firm Qlik have likely been exploited in ransomware attacks, according to security operations firm Arctic Wolf.
The cybersecurity company has reported seeing attacks that appear to exploit CVE-2023-41266, CVE-2023-41265 and CVE-2023-48365 for initial access, with the attackers then attempting to deploy Cactus ransomware on compromised systems.
The exploited vulnerabilities were discovered by Praetorian, with their details disclosed in August and September, shortly after Qlik announced the availability of patches.
The security holes, rated 'critical' and 'high severity', impact Qlik Sense Enterprise for Windows, a data analytics solution.
CVE-2023-41266 is a path traversal issue that allows a remote, unauthenticated attacker to generate anonymous sessions and send HTTP requests to unauthorized endpoints.
CVE-2023-41265 is an HTTP tunneling flaw that can be exploited to elevate privileges and execute HTTP requests on backend servers hosting repository applications.
The two vulnerabilities can be exploited by a remote, unauthenticated hacker to execute arbitrary code and add new admin users to the Qlik Sense application.
While Qlik's advisories for these vulnerabilities currently say there is no evidence of in-the-wild exploitation, Arctic Wolf claims to have seen attacks apparently exploiting the vulnerabilities for remote code execution.
After gaining initial access to the targeted organization's systems, the cybercriminals were observed uninstalling security software, changing admin account passwords, installing remote access software, using RDP for lateral movement, and exfiltrating data.
In some instances the attackers attempted to deploy Cactus ransomware.
"​​Based on significant overlaps observed in all intrusions we attribute all of the described attacks to the same threat actor, which was responsible for deployment of Cactus ransomware," Arctic Wolf said.
Qlik claims to have more than 40,000 customers, which makes vulnerabilities in its products highly valuable to hackers.
According to ZoomEye, there are more than 17,000 internet-exposed instances of Qlik Sense, mainly in the United States, followed by Brazil and several European countries.
The Cactus ransomware has been active since March 2023 and it has targeted several major organizations.
The cybercriminals have been known to exploit vulnerabilities in VPN appliances for initial access.
We acknowledge the recent Arctic Wolf report concerning CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365 and are closely monitoring the situation.
It is important to note that Qlik released patches for these vulnerabilities in August and September as part of our ongoing commitment to cybersecurity.
While our initial advisories did not indicate evidence of malicious exploitation, we are diligently investigating these new reports.
Qlik remains dedicated to safeguarding our systems and will provide further information as it becomes available.
For specific concerns or additional support, customers are encouraged to reach out to Qlik Support.


This Cyber News was published on packetstormsecurity.com. Publication date: Fri, 01 Dec 2023 23:06:57 +0000


Cyber News related to Qlik Sense Vulnerabilities Exploited in Ransomware Attacks

Qlik Sense Vulnerabilities Exploited in Ransomware Attacks - Three vulnerabilities affecting a product of business analytics firm Qlik have likely been exploited in ransomware attacks, according to security operations firm Arctic Wolf. The cybersecurity company has reported seeing attacks that appear to ...
11 months ago Packetstormsecurity.com
Cactus ransomware exploiting Qlik Sense flaws to breach networks - Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks. Qlik Sense supports multiple data sources and allows users to create custom data reports or ...
11 months ago Bleepingcomputer.com
The Week in Ransomware - An international law enforcement operation claims to have dismantled a ransomware affiliate operation in Ukraine, which was responsible for attacks on organizations in 71 countries. The threat actors are said to be affiliates of numerous ransomware ...
11 months ago Bleepingcomputer.com
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
5 months ago Securityaffairs.com
The Qlik Cyber Attack: Why SSPM Is a Must Have for CISOs - On November 28 2023, Arctic Wolf Labs reported on a new Cactus ransomware campaign which exploits publicly-exposed installations of Qlik Sense, a cloud analytics and business intelligence platform. With a breach like Qlik, the first question that ...
11 months ago Securityboulevard.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
8 months ago Malwarebytes.com
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
9 months ago Techrepublic.com
VX-Underground malware collective framed by Phobos ransomware - A new Phobos ransomware variant frames the popular VX-Underground malware-sharing collective, indicating the group is behind attacks using the encryptor. Phobos launched in 2018 in what is believed to be a ransomware-as-a-service derived from the ...
11 months ago Bleepingcomputer.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
9 months ago Securityboulevard.com
The year of Mega Ransomware attacks with unprecedented impact on global organizations - A Staggering 1 in every 10 organizations worldwide hit by attempted Ransomware attacks in 2023, surging 33% from previous year, when 1 in every 13 organisations received ransomware attacks Throughout 2023, organizations around the world have each ...
9 months ago Blog.checkpoint.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
10 months ago Helpnetsecurity.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
9 months ago Unit42.paloaltonetworks.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
10 months ago Feeds.fortinet.com
CISA adds Qlik bugs to exploited vulnerabilities catalog - Two vulnerabilities affecting a popular data analytics tool were added to the Cybersecurity and Infrastructure Security Agency's list of exploited bugs this week. On Thursday, CISA added CVE-2023-41265 and CVE-2023-41266 to its catalog, giving ...
10 months ago Therecord.media
Best Ransomware Protection Practices for Midsize Organizations - Ransomware Protection has emerged as a crucial step in cybersecurity since ransomware attacks have become a major threat to businesses of all sizes, including midsize organizations. Ransomware attacks can be delivered via email attachments or links, ...
10 months ago Securityboulevard.com
Declining Ransomware Payments: Shift in Hacker Tactics? - Several cybersecurity advisories and agencies recommend not caving into ransomware gangs' demands and paying their ransoms. It seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean ...
8 months ago Securityboulevard.com
Frameworks, Guidelines & Bounties Alone Won't Defeat Ransomware - COMMENTARY. The US government is ramping up efforts to stem the increasingly disruptive scourge of ransomware attacks. The State Department recently offered up to $15 million for information on LockBit, and $10 million for information on the ...
6 months ago Darkreading.com
Healthcare firm WebTPA data breach impacted 2.5M individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach ...
5 months ago Securityaffairs.com
New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
4 months ago Securityaffairs.com
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
5 months ago Bleepingcomputer.com
Dozens of countries will pledge to stop paying ransomware gangs - An alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransoms demanded by cybercriminal groups. Addressing reporters on Monday, Anne Neuberger, ...
11 months ago Bleepingcomputer.com
Ransomware Roundup - On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the ...
7 months ago Feeds.fortinet.com
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
1 month ago Securelist.com
A cyberattack shutdown the University Hospital Centre Zagreb in Croatia - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Stanford University announced that 27,000 ...
4 months ago Securityaffairs.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)