Cybersecurity: Qlik Sense Vulnerabilities and Cactus Ransomware Attacks

In recent news, Qlik Sense Vulnerabilities have been exposed by cybersecurity experts regarding Qlik Sense Enterprise for Windows, a data analytics solution developed by business analytics firm Qlik. These vulnerabilities, labeled as CVE-2023-41266 and CVE-2023-41265, have been actively targeted by attackers, enabling them to execute remote code without authentication and gain unauthorized access to endpoints.

The first vulnerability, known as CVE-2023-41266, is a path traversal issue that enables remote, unauthenticated attackers to generate anonymous sessions and send HTTP requests to unauthorized endpoints. This vulnerability has a severity rating of 8.2 (High) on the CVSS V3.1 scale. The second vulnerability, CVE-2023-41265, is an HTTP tunneling flaw that allows remote attackers to elevate their privileges and execute HTTP requests on backend servers hosting repository applications. This vulnerability is rated as critical with a severity score of 9.6 (Critical) on the CVSS V3.1 scale.

These vulnerabilities were discovered by Praetorian, an organization specializing in proactive vulnerability research. Praetorian disclosed the vulnerabilities in August and September, following the release of patches by Qlik. However, a bypass for the original fix for CVE-2023-41265 was identified, enabling unauthenticated remote code execution even after applying the patches. Qlik released a second patch, CVE-2023-48365, to address this workaround by implementing a more robust filtering mechanism.

Arctic Wolf, a security operations firm, has observed attacks exploiting these vulnerabilities and attempting to deploy Cactus ransomware. Cactus ransomware, which has been active since March 2023, has targeted numerous high-profile victims and is currently ranked seventh in the Top Group VPM ranking. Cactus ransomware exploits known vulnerabilities in VPN appliances, including those used by Qlik Sense, for initial access to the targeted systems. Once the ransomware gains access, it encrypts sensitive data, employing double extortion tactics to demand payment for its release. Cactus ransomware also encrypts itself to evade detection.

It is worth noting that Qlik Sense Enterprise for Windows is widely used, with over 40,000 customers worldwide. This makes Qlik a valuable target for cybercriminals due to the vulnerabilities in its products. According to ZoomEye, there are over 17,000 internet-exposed instances of Qlik Sense, primarily in the United States, Brazil, and several European countries.

To prevent Cactus ransomware attacks, organizations are advised to patch the vulnerabilities in their VPN appliances, enforce multi-factor authentication, conduct regular risk assessments, avoid exposing critical services to the internet, regularly scan and assess systems for vulnerabilities, monitor and control privileged accounts, implement strong password policies, employ identity and access management systems, use organizational detection or prevention systems, review the security postures of third-party vendors, disable command-line and scripting activities, implement phishing prevention methods, provide security awareness training for employees, segment networks, encrypt data at rest, implement role-based access controls, and secure critical credentials in the software supply chain.

These measures are crucial in safeguarding against ransomware attacks and ensuring the protection of sensitive data. As the cybersecurity landscape continues to evolve, organizations must stay vigilant and proactive in their approach to cybersecurity.

Sources:

Praetorian Blog 1

Praetorian Blog 2

Qlik Official Support Article 1

Qlik Official Support Article 2

LogPoint Blog