Full Report
Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch special interest group Cyberveilig Nederland … Continue reading Sifting through the spines: identifying (potential) Cactus ransomware victims →
Analysis Summary
# Incident Report: Exploitation of Qlik Sense by Cactus Ransomware
## Executive Summary
Since November 2023, the Cactus ransomware group has been systematically exploiting vulnerabilities in Qlik Sense servers to gain initial access to corporate networks. Through a collaborative effort by the "Melissa" partnership, analysts identified over 3,000 vulnerable servers globally, with several active compromises already confirmed. The threat actor employs sophisticated evasion techniques and psychological manipulation to obscure their actual entry vector.
## Incident Details
- **Discovery Date:** April 17, 2024 (Global scanning and identification)
- **Incident Date:** Ongoing since November 2023
- **Affected Organization:** Multiple (5,205 servers identified globally)
- **Sector:** Cross-sector (Any organization using Qlik Sense data visualization)
- **Geography:** Global (Significant focus on the Netherlands)
## Timeline of Events
### Initial Access
- **Date/Time:** November 2023 – Ongoing
- **Vector:** Exploitation of unpatched Qlik Sense Enterprise servers.
- **Details:** Attackers leverage critical vulnerabilities including CVE-2023-41266, CVE-2023-41265 (ZeroQlik), and CVE-2023-48365 (DoubleQlik) to execute unauthorized code.
### Lateral Movement
- **Details:** Once initial access is achieved via the Qlik Sense service, the group moves through the network to prepare for ransomware deployment. specific lateral movement protocols involve typical ransomware playbooks (though specific internal tools were not the primary focus of this fingerprinting-focused report).
### Data Exfiltration/Impact
- **Impact:** Deployment of Cactus ransomware and potential data theft. The group is known to use "fabricated stories" during negotiations to mislead victims about how the breach occurred, complicating the forensic response.
### Detection & Response
- **Discovery:** Collaboration between Fox-IT and the Melissa partnership identified a pattern of Qlik Sense exploitation across multiple incident response engagements.
- **Response Actions:** On April 17, 2024, Dutch authorities (DIVD, NCSC, and DTC) began a global notification campaign to inform owners of the 3,143 vulnerable and "already compromised" servers.
## Attack Methodology
- **Initial Access:** Exploitation of unpatched Qlik Sense vulnerabilities (ZeroQlik/DoubleQlik).
- **Persistence:** Implementation of backdoors (implied by "already compromised" status of servers where artifacts remain).
- **Defense Evasion:** Use of social engineering/misdirection during the extortion phase to hide the entry vector.
- **Discovery:** Automated scanning for vulnerable Qlik Sense instances.
- **Impact:** Encryption of data and high-pressure extortion.
## Impact Assessment
- **Financial:** High potential for ransom demands and recovery costs.
- **Data Breach:** High risk; Cactus typically performs data exfiltration before encryption.
- **Operational:** Significant; 3,143 servers identified as vulnerable globally.
- **Reputational:** High for organizations failing to patch known critical vulnerabilities since late 2023.
## Indicators of Compromise
- **Network Indicators:** Scanning activity targeting Qlik Sense ports (typically 443/80 or specific Qlik management ports).
- **File Indicators:** Presence of `product-info.json` being accessed frequently by external/unknown IPs.
- **Behavioral Indicators:** Execution of unauthorized commands via the Qlik Sense service account; external connections to known Cactus C2 infrastructure.
## Response Actions
- **Containment:** Servers identified as compromised were flagged for isolation.
- **Eradication:** Global notification of victims by DIVD and NCSC-NL.
- **Recovery:** Organizations advised to patch Qlik Sense to the latest versions (as per Qlik support articles 2110801 and 2120325).
## Lessons Learned
- **Cross-Sector Collaboration:** The "Melissa" partnership demonstrates that sharing data across private security firms can identify widespread campaign patterns that individual firms might miss.
- **Vulnerability Oversight:** High-profile tools like Qlik Sense often fall into "shadow IT" or are not patched as aggressively as core OS components, providing easy wins for ransomware groups.
- **Adversary Deception:** Attackers are lying about their entry vectors to preserve their "exploits," making third-party forensic validation essential.
## Recommendations
- **Patch Management:** Immediately update Qlik Sense Enterprise for Windows to the latest patched versions.
- **Attack Surface Reduction:** Do not expose business intelligence tools like Qlik Sense directly to the internet; use a VPN or Zero Trust Network Access (ZTNA).
- **Vulnerability Scanning:** Use version fingerprinting (checking `product-info.json`) to accurately identify at-risk assets across the enterprise.