Arctic Wolf researchers have detected a CACTUS ransomware campaign exploiting security vulnerabilities within Qlik Sense, a cloud analytics and business intelligence platform. This marks the first instance where CACTUS ransomware attackers have leveraged these vulnerabilities for initial access.
The attacks, witnessed across multiple instances by the cybersecurity company, likely exploit three disclosed flaws within the last three months:
- CVE-2023-41265: Allows remote attackers to escalate privileges and execute requests on the backend server hosting the repository application.
- CVE-2023-41266: A path traversal vulnerability enabling unauthenticated remote attackers to send requests to unauthorized endpoints.
- CVE-2023-48365: An unauthenticated remote code execution vulnerability due to improper validation of HTTP headers, facilitating privilege escalation through HTTP request tunneling.
Arctic Wolf observed that successful exploitation of these flaws led to the misuse of the Qlik Sense Scheduler service. This was followed by actions to establish persistence, remote control, installation of additional tools such as ManageEngine UEMS, AnyDesk, and Plink. Notably, the threat actors uninstalled Sophos software, altered administrator passwords, and created RDP tunnels via Plink. These actions culminated in the deployment of CACTUS ransomware and data exfiltration using rclone.
Amidst an evolving ransomware landscape, cyberattacks have become more intricate, utilizing initial access brokers and botnet owners to facilitate large-scale attacks. Despite global efforts to combat ransomware, the ransomware-as-a-service (RaaS) model remains profitable.
Recent joint research by Elliptic and Corvus Insurance revealed Black Basta, a ransomware group, amassed over $107 million in illegal Bitcoin ransom payments from 90+ victims. A significant portion of these proceeds was channeled through the Russian cryptocurrency exchange Garantex, previously sanctioned for dealings with the Hydra darknet marketplace.
The investigation linked Black Basta to Conti and QakBot, illustrating the complex interconnections within the cybercriminal ecosystem. Approximately 10% of the ransom amounts were directed to Qakbot, particularly when providing access to victims.