Many Organizations Remain Vulnerable to Cactus Ransomware Exploiting Qlik Sense Vulnerabilities
Nearly five months after security researchers warned of the Cactus ransomware group leveraging a set of three vulnerabilities in the Qlik Sense data analytics and business intelligence (BI) platform, many organizations are still at risk.
Qlik disclosed the vulnerabilities in August and September, with two bugs affecting multiple versions of Qlik Sense Enterprise for Windows, known as CVE-2023-41266 and CVE-2023-41265. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary code on affected systems. In September, Qlik disclosed CVE-2023-48365, a bypass of the fix for the previous flaws from August.
Despite these warnings, Arctic Wolf reported that the Cactus ransomware operators were actively exploiting these vulnerabilities to gain access to target environments. A recent scan by researchers at Fox-IT found over 5,000 Internet-accessible Qlik Sense servers, with over 3,000 still vulnerable to Cactus group’s exploits. Some of these vulnerable servers were located in the US, Italy, Brazil, Netherlands, and Germany.
In response to this threat, security organizations like Fox-IT and the Dutch Institute for Vulnerability Disclosure (DIVD) are working together under Project Melissa to disrupt Cactus group operations. They have been notifying administrators of vulnerable Qlik Sense servers about the potential ransomware attacks.
The ShadowServer Foundation has also issued a critical alert, warning that failure to address these vulnerabilities could lead to compromises for organizations. Fox-IT has identified at least 122 likely compromised Qlik Sense instances, mainly in the US, Spain, and Italy. It is crucial for organizations to understand the potential risks and take necessary remediation measures to protect against Cactus ransomware attacks.
