Three vulnerabilities affecting a product of business analytics firm Qlik have likely been exploited in ransomware attacks, according to security operations firm Arctic Wolf.
The cybersecurity company has reported seeing attacks that appear to exploit CVE-2023-41266, CVE-2023-41265 and CVE-2023-48365 for initial access, with the attackers then attempting to deploy Cactus ransomware on compromised systems.
The security holes, rated ‘critical’ and ‘high severity’, impact Qlik Sense Enterprise for Windows, a data analytics solution. CVE-2023-41266 is a path traversal issue that allows a remote, unauthenticated attacker to generate anonymous sessions and send HTTP requests to unauthorized endpoints.
CVE-2023-41265 is an HTTP tunneling flaw that can be exploited to elevate privileges and execute HTTP requests on backend servers hosting repository applications.
Combined, the two vulnerabilities can be exploited by a remote, unauthenticated hacker to execute arbitrary code and add new admin users to the Qlik Sense application.
CVE-2023-48365 was assigned after Praetorian researchers managed to bypass the patch for CVE-2023-41265.
While Qlik’s advisories for these vulnerabilities currently say there is no evidence of in-the-wild exploitation, Arctic Wolf claims to have seen attacks apparently exploiting the vulnerabilities for remote code execution.
After gaining initial access to the targeted organization’s systems, the cybercriminals were observed uninstalling security software, changing admin account passwords, installing remote access software, using RDP for lateral movement, and exfiltrating data. In some instances the attackers attempted to deploy Cactus ransomware.
“Based on significant overlaps observed in all intrusions we attribute all of the described attacks to the same threat actor, which was responsible for deployment of Cactus ransomware,” Arctic Wolf said.
Qlik claims to have more than 40,000 customers, which makes vulnerabilities in its products highly valuable to hackers.
According to ZoomEye, there are more than 17,000 internet-exposed instances of Qlik Sense, mainly in the United States, followed by Brazil and several European countries.
The Cactus ransomware has been active since March 2023 and it has targeted several major organizations. The cybercriminals have been known to exploit vulnerabilities in VPN appliances for initial access.
UPDATE: Qlik has provided the following statement to SecurityWeek:
We acknowledge the recent Arctic Wolf report concerning CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365 and are closely monitoring the situation. It is important to note that Qlik released patches for these vulnerabilities in August and September as part of our ongoing commitment to cybersecurity. While our initial advisories did not indicate evidence of malicious exploitation, we are diligently investigating these new reports. We strongly recommend that all customers verify they have applied these patches. Qlik remains dedicated to safeguarding our systems and will provide further information as it becomes available. For specific concerns or additional support, customers are encouraged to reach out to Qlik Support.