Qlik Sense Exploitation

THE THREAT

eSentire has observed multiple instances of threat actors exploiting vulnerabilities in Qlik Sense to gain initial access into victim organizations. Qlik Sense is a popular data analytics platform; there is a high probability that Qlik Sense servers, that are unpatched and internet-facing, will be targeted in an ongoing campaign.

Qlik Sense vulnerabilities, known to be targeted by threat actors for initial access, include CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365. Post-exploitation, eSentire observed the delivery of multiple Remote Monitoring and Management (RMM) tools including ManageEngine and AnyDesk, as well as attempted delivery of the terminal emulation tool PuTTY.

eSentire assesses with high confidence that this activity is related to a campaign externally reported to lead to the deployment of Cactus ransomware. As exploitation has been confirmed, it is critical that organizations ensure Qlik Sense is updated to the most recent version.

What we’re doing about it

• eSentire MDR for Endpoint has rules in place to identify post-exploitation activity of Qlik
• In observed incidents, eSentire MDR for Network detected the malicious downloads
• BlueSteel, via eSentire MDR for Endpoint, identifies malicious PowerShell activity
• The eSentire Threat Response Unit (TRU) has performed threat hunts across the eSentire client base, based on both externally reported and directly observed Indicators of Compromise
• Known malicious IP addresses are blocked via the eSentire Global Block list
• eSentire MDR for Network and Endpoint have rules in place to identify malicious use of the PuTTY tool
• eSentire MDR for Endpoint detects malicious/unusual use of Remote Monitoring and Management (RMM) tools, including AnyDesk and ScreenConnect
• eSentire MDR for Network and Endpoint have rules in place to detect tools and techniques commonly associated with ransomware delivery and execution
• eSentire Managed Vulnerability Service (MVS) will add the relevant plugins as they become available
• The eSentire Threat Intelligence team is actively tracking this campaign for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant Qlik Sense updates
• Review all potentially impacted systems for signs of compromise and unusual activity
• Where possible, avoid exposing Qlik Sense instances to the Internet
• Ensure Endpoint agents are deployed to both workstations and servers
• Conduct regular audits of Remote Monitoring and Management (RMM) solutions within the environment, such as ManageEngine and AnyDesk
  • If possible, ban all unapproved RMM tools
• Confirm there are robust backups of all business-critical systems offsite

Additional information

In incidents observed by eSentire, one or multiple of the following Qlik Sense vulnerabilities were exploited for initial access into victim organizations.

• CVE-2023-41265 (CVSS: 9.9) - An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows
  • Disclosed with security patches on August 29th, 2023
• CVE-2023-41266 (CVSS: 6.5) - Path traversal vulnerability found in Qlik Sense Enterprise for Windows
  • Disclosed with security patches on August 29th, 2023
• CVE-2023-48365 (CVSS: 9.9) – Unauthenticated Remote Code Execution (RCE) vulnerability
  • Disclosed with security patches on November 15th, 2023
  • CVE-2023-48365 is the result of an incomplete patch for CVE-2023-41265

Immediately after exploitation, eSentire observed the use of PowerShell commands attempting to download additional tools onto the victim asset. These included the Remote Monitoring and Management (RMM) tools ManageEngine and AnyDesk, as well as the terminal emulation tool PuTTY. The RMM tools would be used to enable persistent remote access to victim assets, while PuTTY may be employed for remote code execution and data theft purposes.

In incidents observed by eSentire, activity was disrupted prior to threat actors achieving their objectives. Based on an overlap of Indicators of Compromise (IoCs) and attacker Tactics, Techniques, and Procedures (TTPs) the eSentire Threat Intelligence team assesses with high confidence, that the final goal of this campaign is data theft and the deployment of the Cactus ransomware. eSentire has observed notable changes between mid-November activity and early December activity, including later deployment of RMM tools and use of the RequestCatcher tool. It is possible that the threat actors are modifying attacks to avoid detection, or secondary actors are mimicking the original campaign. The eSentire Threat Intelligence team continues to monitor this activity for additional changes.

Cactus ransomware has been active since at least March 2023. The group employs the double extortion technique, where data is exfiltrated prior to ransomware deployment, and used as an additional point during ransom negotiations. The ransomware has previously been deployed via DanaBot infections and exploitation of VPN vulnerabilities.

It should be noted that exploitation of the Qlik Source vulnerabilities is considered to be simple, and technical details relating to CVE-2023-41265 and CVE-2023-41266 are publicly available. As exploitation of these vulnerabilities is ongoing, it is critical that organizations address the vulnerabilities immediately.

References:

[1] https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-41266
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-41265
[4] https://nvd.nist.gov/vuln/detail/CVE-2023-48365
[5] https://twitter.com/MsftSecIntel/status/1730383711437283757
[6] https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
[7] https://www.praetorian.com/blog/qlik-sense-technical-exploit/