Cactus Ransomware Exploiting Qlik Servers Vulnerability

by Esmeralda McKenzie
Cactus Ransomware Exploiting Qlik Servers Vulnerability

Cactus Ransomware Exploiting Qlik Servers Vulnerability

Cactus Ransomware Exploiting Qlik Servers Vulnerability

The Cactus ransomware gang has been exploiting susceptible Qlik sense servers ever since November 2023 the utilization of just a few vulnerabilities similar to CVE-2023-41266 (Course Traversal), CVE-2023-41265 (HTTP query Tunneling) and CVE-2023-48365 (Unauthenticated Distant Code Execution).

Even supposing Qlik has addressed these vulnerabilities with just a few security advisories, hundreds of servers stay at risk of exploitation.

EHA

QlikSense is a records visualization and industry intelligence tool that can wait on firms manufacture records prognosis and other operations.

Technical Diagnosis

Statistical Risk Reviews

Basically based fully on reports from Cyber Security News, risk actors were focusing on these QlikSense servers with tool vulnerabilities and misleading victims with cooked-up tales.

Nonetheless, the reports from Shadowserver demonstrate that there are 5,200+ web-uncovered Qlik servers, amongst which 3,100+ are at risk of exploitation by the Cactus neighborhood.

241 programs were found in the Netherlands by myself, and the risk actors contain already compromised 6 of them.

Identifying the list of servers and compromised servers eager just a few learn steps.

Identifying The Inclined Qlik Sense Servers

An existing Nuclei template is on hand, which will also be old to identify susceptible QlikSense servers uncovered on the Web.

On the replacement hand, the researchers old the “product-recordsdata.json” file to search out susceptible servers.

This file involves diverse info about the server, similar to the liberate imprint and model numbers, which could well expose the true model of the QlikSense server operating.

product-recordsdata.json file (Supply: Fox-it)
product-recordsdata.json file (Supply: Fox-it)

Additional, the liberate imprint parameter involves recordsdata similar to “February 2022 Patch 3” that states that the closing update was supplied to the Qlik sense server and the associated advisory.

To retrieve this recordsdata from the product-recordsdata.json file, the below cURL whisper will also be old.

curl -H "Host: localhost" -vk 'https:///resources/autogenerated/product-info.json?.ttf'

The .ttf (Correct Form Font file) is old in the whisper to point the query to a .ttf file. Font recordsdata will also be accessed unauthenticated on Qlik sense servers, and the “Host:localhost” is old to circumvent the HTTP response to 400 horrible requests.

In a patched server, the server will return “302 Authenticate at this space” in the response, whereas a susceptible server will expose the records of the file with a 200 OK response.

Furthermore, a 302 response or a liberate imprint parameter from the Qlik server with squawk material containing “November 2023” is regarded as a non-susceptible server.

Document

Mix ANY.RUN in Your Company for Efficient Malware Diagnosis

Are you from SOC, Risk Review, or DFIR departments? If that’s the case, you would be part of an online community of 400,000 honest security researchers:

  • True-time Detection
  • Interactive Malware Diagnosis
  • Easy to Study by Novel Security Team participants
  • Acquire detailed reports with maximum records
  • Build Up Virtual Machine in Linux & all Windows OS Variations
  • Work collectively with Malware Safely

When you may perchance favor to check all these beneficial properties now with fully free gather entry to to the sandbox:

How To Rep Compromised Qlik Sense Servers

As Arctic Wolf explains, the Cactus ransomware neighborhood redirects the commands’ output to a TTF file named qle.ttf.

The risk neighborhood also old the qle.woff file in some cases. Furthermore, these exploit recordsdata will also be accessed with out authentication.

Exploited servers (Supply: Fox-it)
Exploited servers (Supply: Fox-it)

When checking for these explicit forms of recordsdata, it was revealed that there are around 122 servers, of which the US has the ideal quantity, 49, followed by 13 servers in Spain, 11 servers in Italy, 8 servers in the UK, 7 servers in Germany and Eire, and 6 servers in the Netherlands.

Inclined servers (Supply: Fox-it)
Inclined servers (Supply: Fox-it)

It is advised that organizations and users of QlikSense servers upgrade to essentially the most fresh versions per the protection advisories to forestall risk actors from exploiting these vulnerabilities.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Source credit : cybersecuritynews.com

Related Posts