Cybersecurity analysts at Arctic Wolf recently unveiled a concerning trend where hackers exploit critical vulnerabilities within the Qlik Sense data analytics solution. Their report highlights Cactus leveraging three flaws, initially identified and patched by Qlik in August and September 2023.
In late August, Qlik detected two vulnerabilities, namely CVE-2023-41265 and CVE-2023-41266. Subsequently, a month later, the company identified an issue with one of the patches, resulting in an unintended vulnerability labeled CVE-2023-48365. Swiftly, Qlik addressed all three flaws, releasing necessary patches.
Addressing the Threat
To counter the risk, users need to be aware of three vulnerabilities enabling attackers to create anonymous sessions. Exploiting these, unauthorized HTTP requests are made, privileges elevated, and backend servers accessed.
Cactus exploited these flaws for initial entry into unpatched Qlik Sense instances. By manipulating the Qlik Sense Scheduler service, the group initiated processes, employing PowerShell and BITS for remote access software downloads, like AnyDesk.
Utilizing various infostealing tools, sensitive corporate data was compromised. However, the most disruptive was the Cactus encryptor. Qlik suggests upgrading to the specified Sense Enterprise for Windows versions to safeguard against such threats:
- August 2023 Patch 2
- May 2023 Patch 6
- February 2023 Patch 10
- November 2022 Patch 12
- August 2022 Patch 14
- May 2022 Patch 16
- February 2022 Patch 15
- November 2021 Patch 17
Cactus, a newcomer in the ransomware landscape since March, follows the typical pattern of data theft and system encryption, demanding cryptocurrency payment for the decryption key and data privacy.