Artic Wolf reports the Cactus ransomware operation has been observed exploiting recently disclosed vulnerabilities in the Qlik Sense cloud analytics and business intelligence platform for initial intrusion. The actively exploited vulnerabilities include:
CVE-2023-41265: an HTTP request tunneling vulnerability;
CVE-2023-41266: a path traversal vulnerability;
CVE-2023-48365: an unauthenticated remote code execution vulnerability resulting from an incomplete patch for CVE-2023-41265.
Following the successful exploitation of these vulnerabilities, the threat actors have been observed undertaking the following actions:
Misusing the Qlik Sense Scheduler service to initiate processes that retrieve additional tools.
The retrieved tools include ManageEngine Unified Endpoint Management and Security (UEMS), AnyDesk, and Plink.
The attackers execute actions such as uninstalling Sophos software, altering the administrator account password, and establishing an remote desktop protocol tunnel via Plink.
The sequence of attacks concludes with the deployment of Cactus ransomware.
Rclone is employed for data exfiltration during the ransomware deployment.
Our monitoring identified recent ransomware events attributed to Cactus. Reported victims are located in the United States, Canada, the Netherlands and Belgium, and operate in various sectors including construction and real estate, healthcare and tourism.
In connection to Cactus campaign, Microsoft reports the ransomware is being distributed via DanaBot infection.
Below a link to our Ransomware Watch page with up to date monitoring data.