Thousands of Qlik Sense Servers at Risk from Cactus Ransomware Intrusion
The vulnerabilities within the business intelligence servers were addressed by Qlik last year, yet Cactus actors have been exploiting them since November. A large number of organizations remain unpatched.
Almost five months following the cautionary notice from security researchers regarding the exploitation of three vulnerabilities in the Qlik Sense data analytics and business intelligence (BI) platform by the Cactus ransomware group, numerous organizations remain alarmingly susceptible to this threat.
Qlik revealed these vulnerabilities in August and September. The disclosure in August concerned two glitches present in various versions of Qlik Sense Enterprise for Windows, identified as CVE-2023-41266 and CVE-2023-41265. When exploited together, these vulnerabilities grant remote, unauthenticated attackers the ability to execute arbitrary code on compromised systems. Subsequently, in September, Qlik disclosed CVE-2023-48365, which was discovered to be a workaround to Qlik’s patch for the preceding two vulnerabilities from August.
Gartner recognizes Qlik as one of the foremost vendors in the data visualization and BI market.
Ongoing Exploitation of Qlik Security Vulnerabilities
Two months later, Arctic Wolf reported the detection of Cactus ransomware operators exploiting the three vulnerabilities to establish initial access in targeted environments. At that time, the security vendor noted multiple instances of customers falling victim to attacks through the Qlik Sense vulnerabilities and cautioned about the rapidly evolving nature of the Cactus group campaign.
Despite these warnings, it appears that many organizations remained unaware. A scan conducted by researchers at Fox-IT on April 17 revealed a total of 5,205 Internet-accessible Qlik Sense servers, out of which 3,143 servers remained vulnerable to exploits by the Cactus group. Among these, 396 servers were identified in the US, with other countries such as Italy (280), Brazil (244), Netherlands (241), and Germany (175) also showing relatively high numbers of vulnerable servers.
Fox-IT, collaborating with other security organizations in the Netherlands including the Dutch Institute for Vulnerability Disclosure (DIVD), is actively involved in Project Melissa, aimed at disrupting the operations of the Cactus group.
Upon identifying the vulnerable servers, Fox-IT shared its findings and scan data with DIVD, which then initiated communication with administrators of the vulnerable Qlik Sense servers regarding their organization’s exposure to potential Cactus ransomware attacks. DIVD directly notified potential victims in some cases, while in others, the organization attempted to convey the information through respective country computer emergency response teams.
Security Organizations Issuing Alerts to Potential Victims of Cactus Ransomware
The ShadowServer Foundation is actively engaging with vulnerable organizations. In a recent critical alert, the nonprofit threat intelligence service emphasized the urgent need for remediation, warning that failure to do so could significantly increase the likelihood of compromise for affected organizations.
“If you receive an alert from us regarding a vulnerable instance detected within your network or constituency, it’s essential to consider the possibility of compromise not only for the instance but potentially for your entire network,” stated ShadowServer. “Instances suspected of compromise are identified remotely by examining files with .ttf or .woff extensions.”
Fox-IT reported detecting approximately 122 Qlik Sense instances likely compromised through the exploitation of the three vulnerabilities. Among these instances, 49 were located in the US, 13 in Spain, and 11 in Italy, with the remainder distributed across 17 other countries. “The presence of indicators of compromise artifacts on a remote Qlik Sense server can imply various scenarios,” noted Fox-IT. This could indicate remote code execution by attackers or may simply be remnants from a previous security incident.
“It’s vital to recognize that ‘already compromised’ could indicate either the deployment of ransomware with residual artifacts or an ongoing compromise that might lead to a future ransomware attack,” cautioned Fox-IT.