What We Do
How We Do
Resources
Company
Partners
Get Started
Security advisories

Qlik Sense Exploitation

December 7, 2023 | 4 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

eSentire has observed multiple instances of threat actors exploiting vulnerabilities in Qlik Sense to gain initial access into victim organizations. Qlik Sense is a popular data analytics platform; there is a high probability that Qlik Sense servers, that are unpatched and internet-facing, will be targeted in an ongoing campaign.

Qlik Sense vulnerabilities, known to be targeted by threat actors for initial access, include CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365. Post-exploitation, eSentire observed the delivery of multiple Remote Monitoring and Management (RMM) tools including ManageEngine and AnyDesk, as well as attempted delivery of the terminal emulation tool PuTTY.

eSentire assesses with high confidence that this activity is related to a campaign externally reported to lead to the deployment of Cactus ransomware. As exploitation has been confirmed, it is critical that organizations ensure Qlik Sense is updated to the most recent version.

What we’re doing about it

What you should do about it

Additional information

In incidents observed by eSentire, one or multiple of the following Qlik Sense vulnerabilities were exploited for initial access into victim organizations.

Immediately after exploitation, eSentire observed the use of PowerShell commands attempting to download additional tools onto the victim asset. These included the Remote Monitoring and Management (RMM) tools ManageEngine and AnyDesk, as well as the terminal emulation tool PuTTY. The RMM tools would be used to enable persistent remote access to victim assets, while PuTTY may be employed for remote code execution and data theft purposes.

In incidents observed by eSentire, activity was disrupted prior to threat actors achieving their objectives. Based on an overlap of Indicators of Compromise (IoCs) and attacker Tactics, Techniques, and Procedures (TTPs) the eSentire Threat Intelligence team assesses with high confidence, that the final goal of this campaign is data theft and the deployment of the Cactus ransomware. eSentire has observed notable changes between mid-November activity and early December activity, including later deployment of RMM tools and use of the RequestCatcher tool. It is possible that the threat actors are modifying attacks to avoid detection, or secondary actors are mimicking the original campaign. The eSentire Threat Intelligence team continues to monitor this activity for additional changes.

Cactus ransomware has been active since at least March 2023. The group employs the double extortion technique, where data is exfiltrated prior to ransomware deployment, and used as an additional point during ransom negotiations. The ransomware has previously been deployed via DanaBot infections and exploitation of VPN vulnerabilities.

It should be noted that exploitation of the Qlik Source vulnerabilities is considered to be simple, and technical details relating to CVE-2023-41265 and CVE-2023-41266 are publicly available. As exploitation of these vulnerabilities is ongoing, it is critical that organizations address the vulnerabilities immediately.

Indicators of Compromise
94.156.71[.]115 IP Address
http://94.156.71.115/instal1[.]ps1 URL
https://q983.requestcatcher[.]com URL
https://downloads.level.io/ins...[.]ps1 URL
144.172.122[.]30 IP Address
216.107.136[.]46 IP Address
45.61.147[.]176 IP Address
http://144.172.122[.]30/Qlik_sense_enterprise.zip URL
http://144.172.122[.]30/Qlik_sense_enter.zip URL
http://216.107.136[.]46/Qlik_sens_enterprise.zip URL
http://zohoservice[.]net/putty.zip URL
zohoservice[.]net Domain

References:

[1] https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-41266
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-41265
[4] https://nvd.nist.gov/vuln/detail/CVE-2023-48365
[5] https://twitter.com/MsftSecIntel/status/1730383711437283757
[6] https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
[7] https://www.praetorian.com/blog/qlik-sense-technical-exploit/

View Most Recent Advisories