November 30, 2023 at 09:42AM
Arctic Wolf has linked three critical vulnerabilities in Qlik’s analytics products to ransomware attacks, notably Cactus ransomware. The vulnerabilities, reported by Praetorian and patched by Qlik, allow remote code execution and admin access, with over 17,000 internet-exposed instances. The same threat actor seems responsible for multiple intrusions.
Meeting Takeaways:
1. Three vulnerabilities in Qlik’s product, identified as CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, are reported to have been exploited in ransomware attacks by Arctic Wolf.
2. Attackers seem to have used these vulnerabilities to gain initial access and attempt to deploy the Cactus ransomware on affected systems.
3. Details about the vulnerabilities were disclosed by Praetorian in August and September, following the release of patches by Qlik.
4. The critical and high-severity vulnerabilities impact Qlik Sense Enterprise for Windows and include:
– CVE-2023-41266: Path traversal issue allowing anonymous session generation and unauthorized HTTP requests.
– CVE-2023-41265: HTTP tunneling flaw permitting privilege escalation and backend server HTTP request execution.
– CVE-2023-48365: A bypass of the patch for CVE-2023-41265, allowing the same type of exploit.
5. Arctic Wolf has witnessed attacks that not only exploited the vulnerabilities but also involved uninstalling security software, changing admin passwords, installing remote access tools, using RDP for lateral movement, and data exfiltration in preparation for ransomware deployment.
6. All observed intrusions with these characteristics have been attributed to a single threat actor responsible for Cactus ransomware deployment.
7. Qlik is a widely used service with more than 40,000 customers, creating a vast attack surface for cybercriminals.
8. As of the report, over 17,000 instances of Qlik Sense are exposed to the internet, mostly in the United States, Brazil, and various European countries.
9. The Cactus ransomware group, active since March 2023, has been exploiting vulnerabilities, including those in VPN appliances, for initial breach access.
10. There is a mention of other related security incidents involving recently patched vulnerabilities in TeamCity, Zimbra, and SysAid, which have been exploited by cybercriminal groups, underscoring the widespread issue of software vulnerabilities being targeted by ransomware actors.