Recently, the Qlik Sense Enterprise business platform has been under continuous attack by a new ransomware known as Cactus (Newsroom, 2023.) This ransomware is notorious for being the first documented incident of a threat actor exploiting a vulnerability to gain initial access to Qlik Sense Enterprise\u2019s systems. This attack was done through the usage of three recently-discovered vulnerabilities, two of which had been given a critical score by the NVD.<\/p>\n\n\n\n
The vulnerabilities used in the attack against Qlik Sense Enterprise were CVE-2023-41265<\/a>, CVE-2023-41266<\/a>, and CVE-2023-48365<\/a> (Newsroom, 2023.) The first of these vulnerabilities relates to HTTP and allows a threat actor to use tunneling to elevate their privileges. Given the extreme danger of this possibility, CVE-2023-41265<\/a> was given a score of 9.9 \u2013 critical by both the NVD and MITRE. <\/p>\n\n\n\n The second of the three vulnerabilities used by Cactus ransomware, CVE-2023-41266<\/a> is a path traversal vulnerability unique to Qlik Sense Enterprise for Windows. It, like CVE-2023-41265<\/a>, relies on the system of HTTP requests. To be exact, CVE-2023-41266<\/a> allows a threat actor to generate anonymous sessions which allow them to transmit HTTP requests without authorization to certain endpoints. Due to its reliance on the exploitation of a separate vulnerability, however, CVE-2023-41266<\/a> was given a score of 6.5 \u2013 medium by the NVD and 8.2 \u2013 high by MITRE.<\/p>\n\n\n\n The third vulnerability exploited by the Cactus ransomware, CVE-2023-48365<\/a> also works through unauthorized usage of HTTP. This vulnerability is what allows code to be executed remotely by an unauthorized threat actor. It was created by an incomplete fix of CVE-2023-41265<\/a>. While it is true that it relies on another vulnerability in order to be used properly, CVE-2023-48365<\/a> has been given a score of 9.9 \u2013 Critical by the NVD and 9.6 \u2013 Critical by MITRE. This is because of how dangerous it is. It is especially dangerous for Qlik Sense Enterprise for Windows systems that have not yet received the August 2023 Patch 2, given that patch was the one that resolved much of what allowed CVE-2023-48365<\/a> to be exploited.<\/p>\n\n\n\n These three vulnerabilities were all key parts of a multi-stage attack that ended up posing a threat to Qlik Sense Enterprise on a scale that had never before been seen in the platform\u2019s history. The attack resulted in large-scale theft of users\u2019 information and money. The former of which was then encrypted in order to receive more of the latter (Toulas, 2023.)<\/p>\n\n\n\n The first stage of the Cactus ransomware attack was exploiting security issues in the HTTP code used by Qlik. This was done to cause the Qlik Sense Scheduler to initiate a new process, which could be used by the threat actor (Toulas, 2023.) Ultimately, this gave the threat actor access to the target\u2019s device which could be used to commence stage two of the attack.<\/p>\n\n\n\n The second stage of the Cactus ransomware attack involved using PowerShell and the Background Intelligent Transfer Service to download the tools the threat actor needed to maintain a persistent presence on the target\u2019s device. These tools \u2013 namely ManageEngine UEMS, AnyDesk, and a PuTTY Link binary (Toulas, 2023) \u2013 were either disguised or installed in such a way that the user would never suspect them to be part of a ransomware attack against their device.<\/p>\n\n\n\n Once this connection was established, the threat actors would execute discovery commands that would redirect their output into .TTF files. Though the reason for this particular action is not yet confirmed, Arctic Wolf researchers believe the reason to be so that the threat actor can obtain command output through path traversal (Toulas, 2023.)<\/p>\n\n\n\n Following the execution of these discovery commands, the threat actor would proceed to stay hidden for a prolonged period of time. Doing subtle things to make the final stage of the attack easier. These include uninstalling antivirus, changing the administrator password, and establishing an RDP tunnel with the PuTTY Link command-line connection tool (Toulas, 2023.) Once those final steps were completed, the threat actor would move onto the final stage of the attack.<\/p>\n\n\n\n That stage being the installation of the Cactus ransomware onto the victim\u2019s computer. The ransomware, due to its unique programming and the extreme level of prior infiltration done by the threat actor before even installing it onto a target\u2019s computer, would install itself no matter what the target still had to possibly protect their device. No antivirus, not even a VPN, could protect a target\u2019s computer from the Cactus ransomware (Magar, 2023.)<\/p>\n\n\n\n Yet even after successfully infecting a device, Cactus ransomware\u2019s work was not done. Upon installation, Cactus would encrypt itself. Then, the encrypted file would be divided into even smaller files known as micro-buffers (Magar, 2023.) All this to prevent detection and force the victim to pay the ransom demanded by the threat actor.<\/p>\n\n\n\n Due to all of these aforementioned properties, Cactus ended up causing severe damage. Not just in the form of the ransom it demanded from users, who had been left no choice but to pay, but also in the form of regulatory fees and disrupted services (Magar, 2023.) The exact figures of this damage are not yet known due to how recently the Cactus ransomware attacks took place and the fact that they might still be ongoing. The fact that the majority of these targets have been relatively high-profile has no doubt augmented the damage caused by Cactus ransomware.<\/p>\n\n\n\n While the full resolution of the Cactus ransomware attacks is still in-progress organizations such as the NIST, CISA, and SANS have provided their insight on general security practices that can prevent ransomware attacks in general from occurring. These include things such as an enforcement of two-factor authentication for all services, but especially those used for communication (Magar, 2023.)<\/p>\n\n\n\n Another guideline provided by these organizations is a policy of frequent risk assessments. This policy would allow the cybersecurity team of a company to identify and prioritize the threats and vulnerabilities that threaten a given network (Magar, 2023.)<\/p>\n\n\n\n Additionally, the organizations recommended a policy of strong passwords that are to be frequently changed (Magar, 2023.) This would make brute force attacks essentially impossible. The frequent changing would also give threat actors a very small window of time before the information they may have stolen through a database leak is rendered obsolete.<\/p>\n\n\n\n The aforementioned two are among a list of sixteen general recommendations made to increase cyber-security as a whole. But for the Cactus ransomware specifically, the best thing one can do is make sure that they make sure their installation of Qlik Sense Enterprise is up-to-date. Making sure to download any updates or patches that come out in the future.<\/p>\n\n\n\n It is a good general policy to keep software up-to-date due to the fact that updates oftentimes patch the vulnerabilities threat actors use to gain unauthorized access and cause harm to a network. A relevant example of this is the fact that on September 20, 2023, a patch for CVE-2023-48365 was shipped out (Newsroom, 2023.) While the other two vulnerabilities used by Cactus have yet to be patched, the patching of CVE-2023-48365 poses a serious challenge to future threat actors attempting to infect patched devices with Cactus. This is because of how critical CVE-2023-48365 was to the attack process as a whole. Without the elevated privileges the vulnerability allows a threat actor to possess, it is impossible to do things such as changing the administrator password that are necessary for the attack to go forward.<\/p>\n\n\n\n That said, there is still much to be done to resolve the issues that allow Cactus ransomware to earn its spot as Darkfeed\u2019s seventh most prevalent ransomware in the month of November (Magar, 2023.) The main issue that is being resolved is its ability to bypass VPNs (Magar, 2023.) VPNs, or Virtual Private Networks, are a technology that allows a user to assign a different IP address to their device. Many also come with antivirus measures and other security measures.<\/p>\n\n\n\n While this wave of ransomware attacks did first shed public light on the potential to hack virtual private networks, the CACTUS group behind this eponymous attack is believed to have a degree of experience in bypassing Virtual Private Networks, with it being seen by some as a modus operandi of sorts for the group (Khaitan, 2023.) Besides their sophisticated methods and the moniker they provide in the ransom note left on infected devices, very little is known about CACTUS and their motives. Because of this, it has become almost impossible for law enforcement and private investigators to determine why CACTUS is doing what they do.<\/p>\n\n\n\n In conclusion, the Cactus ransomware attacks that started in March of 2023 were among the most sophisticated attacks ever deployed. They were done using a collection of HTTP exploits that allowed threat actors to gain unauthorized access to a target device. Once access was gained, they would subtly collect data and mask their presence within the device. Only after a long process of data collection and tampering would the ransomware be released, at that point able to bypass VPNs. The only thing one can do at this moment to mitigate the risk of Cactus ransomware is practice common cyber-security best practices. The group behind the ransomware, CACTUS, is shrouded in mystery and has as-of-now unknown motives.<\/p>\n\n\n\n References:<\/p>\n\n\n\n Khaitan, A. (2023, September 6). Cactus Ransomware Group hits 5 Global Corporations, Marfrig, Seymours among victims<\/em>. The Cyber Express. https:\/\/thecyberexpress.com\/cactus-ransomware-group-major-corporations\/<\/p>\n\n\n\n Magar, B. T. (2023, November 24). Cactus, a new player in the ransomware game – is it the last?<\/em>. Logpoint. https:\/\/www.logpoint.com\/en\/blog\/emerging-threat\/cactus-a-new-player-in-the-ransomware-game\/<\/p>\n\n\n\n Newsroom. (2023, November 30). Cactus ransomware exploits qlik sense vulnerabilities in targeted attacks<\/em>. The Hacker News. https:\/\/thehackernews.com\/2023\/11\/cactus-ransomware-exploits-qlik-sense.html<\/p>\n\n\n\n NVD. (2023, September 8). CVE-2023-41265 Detail<\/em>. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-41265<\/p>\n\n\n\n NVD. (2023a, August 29). CVE-2023-41266 Detail<\/em>. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-41266<\/p>\n\n\n\n NVD. (2023c, November 15). CVE-2023-48365 Detail<\/em>. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-48365<\/p>\n\n\n\n Toulas, B. (2023, November 30). Cactus ransomware exploiting qlik sense flaws to breach networks<\/em>. BleepingComputer. https:\/\/www.bleepingcomputer.com\/news\/security\/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks\/<\/p>\n","protected":false},"excerpt":{"rendered":" Recently, the Qlik Sense Enterprise business platform has been under continuous attack by a new ransomware known as Cactus (Newsroom, 2023.) This ransomware is notorious for being the first documented incident of a threat actor exploiting a vulnerability to gain initial access to Qlik Sense Enterprise\u2019s systems. This attack was done through the usage of… <\/p>\n