Dive Brief:
- Cactus ransomware is actively exploiting critical vulnerabilities in Qlik Sense, a widely used data visualization and business intelligence platform, according to research released Thursday by Fox-IT.
- Since the campaign began in November, Cactus has exploited vulnerabilities in the Qlik Sense platform, including a HTTP tunneling vulnerability in Qlik Sense for Windows, listed as CVE-2023-48365, according to Fox-IT and a previous blog from Qlik Sense. The vulnerability has a CVSS score of 9.6.
- There are currently about 2,900 vulnerable IPs and 91 compromised IPs, researchers from Shadowserver reported Monday in a collaboration with Fox-IT and the Dutch Institute for Vulnerability Disclosure.
Dive Insight:
Researchers from Praetorian previously disclosed vulnerabilities in Qlik Sense, including an HTTP tunneling vulnerability, listed as CVE-2023-41265 and a path traversal vulnerability, listed CVE-2023-41266.
Qlik issued a patch for the vulnerabilities in August 2023, however Praetorian issued research in September noting a method to bypass the CVE-2023-48365, allowing an attacker to gain unauthenticated remote code execution.
Arctic Wolf in November began responding to several cases of active exploitation of CVE-2023-48365. The hackers deployed AnyDesk and ManageEngine UEMS for remote access.
A public-private partnership, including the DIVD, the National Cyber Security Centrum and the Digital Trust Center has notified potential victims they may have been exposed to the Cactus threat activity, according to Fox-IT.
Cactus engaged in a disinformation campaign. The hackers at Cactus sowed false information about the breach to to thwart mitigation efforts, according to Fox-IT researchers.
Cactus has been involved in some high profile threat activity in recent months. The group claimed credit for a ransomware attack in January against Schneider Electric. In December, Microsoft warned about Cactus ransomware being deployed by the Twisted Spider threat actor in connection with Danabot infections.