Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Qlik Sense Vulnerabilities Exploited in Ransomware Attacks

Qlik Sense vulnerabilities CVE-2023-41266, CVE-2023-41265 and CVE-2023-48365 exploited for initial access in Cactus ransomware attacks. 

Ransomware Report

Three vulnerabilities affecting a product of business analytics firm Qlik have likely been exploited in ransomware attacks, according to security operations firm Arctic Wolf. 

The cybersecurity company has reported seeing attacks that appear to exploit CVE-2023-41266, CVE-2023-41265 and CVE-2023-48365 for initial access, with the attackers then attempting to deploy Cactus ransomware on compromised systems.

The exploited vulnerabilities were discovered by Praetorian, with their details disclosed in August and September, shortly after Qlik announced the availability of patches.

The security holes, rated ‘critical’ and ‘high severity’, impact Qlik Sense Enterprise for Windows, a data analytics solution. CVE-2023-41266 is a path traversal issue that allows a remote, unauthenticated attacker to generate anonymous sessions and send HTTP requests to unauthorized endpoints.

CVE-2023-41265 is an HTTP tunneling flaw that can be exploited to elevate privileges and execute HTTP requests on backend servers hosting repository applications. 

Combined, the two vulnerabilities can be exploited by a remote, unauthenticated hacker to execute arbitrary code and add new admin users to the Qlik Sense application. 

CVE-2023-48365 was assigned after Praetorian researchers managed to bypass the patch for CVE-2023-41265. 

While Qlik’s advisories for these vulnerabilities currently say there is no evidence of in-the-wild exploitation, Arctic Wolf claims to have seen attacks apparently exploiting the vulnerabilities for remote code execution. 

Advertisement. Scroll to continue reading.

After gaining initial access to the targeted organization’s systems, the cybercriminals were observed uninstalling security software, changing admin account passwords, installing remote access software, using RDP for lateral movement, and exfiltrating data. In some instances the attackers attempted to deploy Cactus ransomware. 

“​​Based on significant overlaps observed in all intrusions we attribute all of the described attacks to the same threat actor, which was responsible for deployment of Cactus ransomware,” Arctic Wolf said. 

Qlik claims to have more than 40,000 customers, which makes vulnerabilities in its products highly valuable to hackers. 

According to ZoomEye, there are more than 17,000 internet-exposed instances of Qlik Sense, mainly in the United States, followed by Brazil and several European countries. 

The Cactus ransomware has been active since March 2023 and it has targeted several major organizations. The cybercriminals have been known to exploit vulnerabilities in VPN appliances for initial access. 

UPDATE: Qlik has provided the following statement to SecurityWeek:

We acknowledge the recent Arctic Wolf report concerning CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365 and are closely monitoring the situation. It is important to note that Qlik released patches for these vulnerabilities in August and September as part of our ongoing commitment to cybersecurity. While our initial advisories did not indicate evidence of malicious exploitation, we are diligently investigating these new reports. We strongly recommend that all customers verify they have applied these patches. Qlik remains dedicated to safeguarding our systems and will provide further information as it becomes available. For specific concerns or additional support, customers are encouraged to reach out to Qlik Support.

Related: Recently Patched TeamCity Vulnerability Exploited to Hack Servers

Related: Zimbra Zero-Day Exploited to Hack Government Emails

Related: SysAid Zero-Day Vulnerability Exploited by Ransomware Group

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Ransomware

Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.