Full Report
Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch special interest group Cyberveilig Nederland … Continue reading Sifting through the spines: identifying (potential) Cactus ransomware victims →
Analysis Summary
# Incident Report: Cactus Ransomware Campaign Targeting Qlik Sense
## Executive Summary
The Cactus ransomware group has been actively exploiting vulnerabilities in Qlik Sense servers since November 2023 to gain initial access to victim networks. This threat, identified through collaboration between Dutch cybersecurity firms (Melissa partnership), has compromised at least six organizations in the Netherlands and hundreds globally. Response actions involved global notification efforts through DIVD, NCSC, and DTC to inform potential victims and mitigate further threats.
## Incident Details
- Discovery Date: April 17, 2024 (via global scan)
- Incident Date: Began targeting systems actively since November 2023
- Affected Organization: At least 6 organizations identified in the Netherlands as compromised; 5205 Qlik Sense servers scanned globally.
- Sector: Various (Specific sectors not detailed, but based on Qlik Sense deployment)
- Geography: Global, with specific focus noted in the Netherlands.
## Timeline of Events
### Initial Access
- Date/Time: Campaign active since November 2023.
- Vector: Exploitation of publicly known Qlik Sense vulnerabilities.
- Details: Attackers exploited specific vulnerabilities, notably **CVE-2023-41266** and **CVE-2023-41265** (ZeroQlik), and potentially **CVE-2023-48365** (DoubleQlik).
### Lateral Movement
- Details: Not explicitly detailed in the provided excerpt, but implies successful entry led to ransomware deployment or preparation for future attacks. The group may deliberately obscure entry methods with fabricated stories.
### Data Exfiltration/Impact
- Details: The ultimate impact involves ransomware deployment. The scope suggests that systems found to be compromised contained artifacts of the initial access or remained vulnerable awaiting a future ransomware execution.
### Detection & Response
- Date/Time: Scan identifying vulnerable/compromised systems conducted on April 17, 2024.
- Details: Fox-IT developed a fingerprinting technique utilizing the `product-info.json` file on Qlik Sense servers to reliably identify versions and vulnerability status. Since April 17, 2024, DIVD, NCSC, and DTC collaborated to globally inform potential victims.
## Attack Methodology
- Initial Access: Exploitation of Qlik Sense vulnerabilities (CVE-2023-41266, CVE-2023-41265, CVE-2023-48365).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Cactus group reportedly uses fabricated stories about the breach to obscure their actual method of entry.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Not detailed.
- Exfiltration: Implied component of ransomware operations, but not specified in the excerpt.
- Impact: Ransomware deployment.
## Impact Assessment
- Financial: Not quantified in the excerpt.
- Data Breach: Not specified, but ransomware operations typically involve data encryption and potential exfiltration.
- Operational: At least 6 Dutch systems were compromised, implying operational disruption.
- Reputational: Potential reputational damage associated with ransomware incidents involving data visualization tools.
## Indicators of Compromise
- Network indicators: Not provided (details regarding specific C2 should reside in referenced external blogs).
- File indicators: Not provided.
- Behavioral indicators: Successful exploitation leading to the deployment of Cactus ransomware artifacts or remaining persistent access through vulnerable Qlik Sense interfaces.
## Response Actions
- Containment measures: Fox-IT developed a fingerprinting technique to identify and inform vulnerable/compromised systems.
- Eradication steps: Collaborative effort by DIVD, NCSC, and DTC to reach out and share crucial information globally.
- Recovery actions: Not detailed, but assumed patching of Qlik Sense vulnerabilities is required.
## Lessons Learned
- The effectiveness of sector-specific public-private partnerships (like Melissa) in sharing timely threat intelligence is high.
- Qlik Sense servers represent a critical and actively exploited attack surface when vulnerable versions are exposed.
- Attackers utilize social engineering (fabricated stories) to complicate incident response and mitigation efforts.
## Recommendations
- Immediately assess and patch Qlik Sense servers against publicly disclosed vulnerabilities (ZeroQlik, DoubleQlik, etc.).
- Utilize version checking (e.g., retrieving `product-info.json`) for more reliable vulnerability assessment than simple template scanning.
- Organizations should monitor for signs of initial access exploitation related to these CVEs.