Cyber Security Threat Summary:
According to a new blog post by researchers at Artic Wolf, a set of known vulnerabilities in Qlik Sense, a cloud analytics and business intelligence platform, are being exploited to deploy ransomware. Tracked as CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, the flaws are being chained together to achieve remote code execution on targeted systems. After successful exploitation, researchers note that the actors are abusing Qlik Sense’s Scheduler service to spawn processes designed to retrieve and download additional tools including ManageEngine Unified Endpoint Management and Security (UEMS), AnyDesk, and Plink which can be leveraged for further persistence and lateral movement. Also observed in attacks is the use of rclone, which is being used to exfiltrate data from victim systems.

Security Officer Comments:
Based on the tools employed and the intrusions observed, researchers have attributed these attacks to a threat actor responsible for the deployment of Cactus ransomware. Cactus ransomware is a fairly new ransomware group that initiated operations earlier this year. In the past, this group has exploited vulnerabilities in VPN appliances and abused RDP services to gain initial access to and move laterally across victim environments. The latest set of attacks indicates the continued abuse of known vulnerabilities and open-source tools by Cactus actors.

Suggested Correction(s):
Being updated on the latest trends and TTPs associated with groups like Cactus ransomware can be instrumental in preventing potential attacks. Researchers have published indicators of compromise in their blog post which can be used to detect Cactus-related activity.

Link(s):
https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/