Nearly five months after security researchers warned of the Cactus ransomware group exploiting a set of three vulnerabilities in the Qlik Sense data analytics and business intelligence (BI) platform, many organizations remain dangerously vulnerable to the threat.
Qlik disclosed the vulnerabilities in August and September. The company’s August disclosure was about two bugs in multiple versions of Qlik Sense Enterprise for Windows tracked as CVE-2023-41266 and CVE-2023-41265. The vulnerabilities, when chained together, provide a way for a remote, unauthenticated attacker to execute arbitrary code on affected systems. In September, Qlik revealed CVE-2023-48365, which turned out to be a bypass of Qlik’s fix for the previous two flaws in August.
Gartner has ranked Qlik as one of the leading data visualization and BI vendors on the market.
Continuous exploitation of Qlik security bugs
Two months later, arctic wolf reported observing operators of the Cactus ransomware exploit the three vulnerabilities to gain an initial foothold in targeted environments. At the time, the security vendor said it was responding to multiple cases of customers experiencing attacks via Qlik Sense vulnerabilities and warned that the Cactus Group’s campaign was rapidly developing.
Even so, it appears many organizations didn’t get the memo. A scan carried out by Fox-IT researchers on April 17 discovered a total of 5,205 Qlik Sense servers accessible from the Internet, of which 3,143 servers were still vulnerable to the companies of the Cactus group. Of that number, 396 servers appeared to be located in the United States. Other countries with relatively large numbers of vulnerable Qlik Sense servers include Italy with 280, Brazil with 244, and the Netherlands and Germany with 241 and 175, respectively.
Fox-IT is part of a group of security organizations in the Netherlands, including the Dutch Institute for Vulnerability Disclosure (DIVD), working collaboratively under the umbrella of a project called Project Melissa, to disrupt operations of the Cactus group.
After discovering the vulnerable servers, Fox-IT forwarded its fingerprint and scan data to DIVD, which then began contacting the administrators of the vulnerable Qlik Sense servers regarding their organization’s exposure to potential Cactus ransomware attacks. In some cases, DIVD sent notifications directly to potential victims while in others the organization attempted to relay the information to them via their national computer emergency response teams.
Security organizations are warning potential victims of Cactus ransomware
The ShadowServer Foundation is also reaching out to at-risk organizations. In a critical warning This week, the nonprofit Threat Intelligence Service described the situation as one in which a failure to remediate could leave organizations with a very high probability of compromise.
“If you receive an alert from us about a vulnerable instance detected in your network or constituency, please also assume compromise of your instance and possibly your network,” ShadowServer said. “Compromised instances are determined remotely by checking for files with the .ttf or .woff extension.”
Fox-IT said it has identified at least 122 instances of Qlik Sense as possibly compromised by the three vulnerabilities. Forty-nine of them were in the United States; 13 in Spain; 11 in Italy; and the rest spread across 17 other countries. “When the indicator of a compromised artifact is present on a remote Qlik Sense server, it can imply various scenarios,” Fox-IT said. It could, for example, suggest that the attackers executed code remotely on the server, or it could simply be an artifact of a previous security incident.
“It is critical to understand that ‘already compromised’ can mean that ransomware has been deployed and initial access artifacts left behind have not been removed, or that the system remains compromised and is potentially ripe for a future ransomware attack,” Fox said -IT. .