November 30, 2023 at 06:30AM
A CACTUS ransomware campaign is exploiting vulnerabilities in Qlik Sense, noted by Arctic Wolf researchers. These exploits allow attackers to gain initial access and establish persistence through various means, including disabling security software. The broader ransomware landscape continues to adapt and prove lucrative despite crackdowns, with groups like Black Basta earning over $107 million and laundering funds through sanctioned exchanges.
Meeting Takeaways:
1. **CACTUS Ransomware Campaign**
– There is an ongoing CACTUS ransomware campaign targeting a cloud analytics and business intelligence platform called Qlik Sense.
– This is the first documented instance of CACTUS ransomware exploiting Qlik Sense vulnerabilities for initial access.
2. **Vulnerabilities Exploited**
– Three disclosed security flaws are being leveraged by attackers:
a. CVE-2023-41265 (9.9 CVSS score): HTTP Request Tunneling vulnerability enabling privilege elevation.
b. CVE-2023-41266 (6.5 CVSS score): Path traversal vulnerability allowing unauthorized endpoint request transmissions.
c. CVE-2023-48365 (9.9 CVSS score): Unauthenticated remote code execution vulnerability also related to privilege elevation via HTTP request tunneling.
– CVE-2023-48365 was patched on November 20, 2023, and arose from an incomplete fix for CVE-2023-41265.
3. **Attack Methodology**
– Attackers use the vulnerabilities to follow up with the abuse of the Qlik Sense Scheduler service.
– Tools like ManageEngine UEMS, AnyDesk, and Plink are downloaded to establish persistence and enable remote control.
– Actions include uninstalling Sophos software, changing admin passwords, and creating RDP tunnels.
– Attacks conclude with the deployment of CACTUS ransomware and data exfiltration via rclone.
4. **Ransomware Landscape Overview**
– Ransomware threats have grown in sophistication with an evolving underground economy of access brokers and botnet owners.
– Ransomware attacks in industrial organizations declined in third quarter of 2023 compared to the second quarter; October 2023 saw 318 ransomware attacks across all sectors.
– Ransomware-as-a-Service (RaaS) remains a lucrative mode of extortion.
5. **Black Basta Ransomware Group**
– Since April 2022, Black Basta has allegedly earned over $107 million in Bitcoin from 90+ victims.
– Laundering of these proceeds is linked to Garantex, a Russian cryptocurrency exchange sanctioned by the U.S.
– There are indications of a connection between Black Basta, the defunct Russian cybercrime group Conti, and QakBot, which was used to deploy ransomware.
– Elliptic’s research shows a payment of approximately 10% of the ransom to QakBot when involved in accessing the victims.
*Actions Recommended*:
– Follow Arctic Wolf’s advisories and patch the identified vulnerabilities in Qlik Sense promptly.
– Industries are advised to be vigilant and take appropriate cybersecurity measures considering the evolving ransom threat landscape.
– Monitor for updates on the Black Basta group’s activities and modus operandi for better defense strategies.
– Stay updated on cybersecurity news and insights through trusted channels like Twitter and LinkedIn.