Threat Research

Sifting through the spines: identifying (potential) Cactus ransomware victims

CTI

Researchers describe a practical fingerprinting method to identify internet-facing Qlik Sense servers, determine their version via a publicly retrievable product-info.json, and assess exposure to ZeroQlik/DoubleQlik exploits. They also detail an observed Cactus ransomware artifact—command output stored in unauthenticated font files (qle.ttf/qle.woff)—used as a reliable indicator of compromise. #Cactus #QlikSense #CVE-2023-48365

Keypoints

  • Melissa partnership and Fox-IT developed a fingerprinting technique to detect Qlik Sense servers and assess vulnerability or compromise.
  • Fingerprinting retrieves product-info.json from /resources/autogenerated/ (using a ?.ttf suffix and Host: localhost) to extract releaseLabel and version.
  • Cactus ransomware has exploited Qlik Sense since November 2023 using known vulnerabilities including CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 (DoubleQlik).
  • Response interpretation: HTTP 302 Authenticate indicates a patched/non-vulnerable instance; HTTP 200 with JSON indicates an unpatched server revealing version/release label.
  • Scanning with Censys and Google BigQuery found 5,205 Qlik Sense servers online, 3,143 (≈60%) still vulnerable as of 17 April 2024, and 122 servers with compromise indicators.
  • Cactus stores command output in font files (qle.ttf / qle.woff) inside the fonts directory; these font files are accessible without authentication and serve as IOCs.
  • DIVD performed responsible disclosure; recommended mitigations include applying vendor patches, upgrading EOS systems, and restricting public exposure (IP whitelisting or private access).

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Cactus gained initial access by exploiting vulnerable Qlik Sense servers (‘Since November 2023, the Cactus ransomware group has been actively targeting vulnerable Qlik Sense servers.’)
  • [T1595.002] Active Scanning: Vulnerability Scanning – Researchers used internet-wide data sources to discover and version-scan Qlik instances (‘We utilised Censys and Google BigQuery to compile a list of potential Qlik Sense servers accessible on the internet and conducted a version scan against them.’)
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Operators executed Windows commands and redirected output to files on the server (‘whoami /all > ../Client/qmc/fonts/qle.ttf quser > ../Client/qmc/fonts/qle.ttf’)
  • [T1036] Masquerading – Attackers wrote command output to files with font extensions to blend artifacts into the application (‘redirects the output of executed commands to a True Type font file named qle.ttf’)
  • [T1082] System Information Discovery – The group collected host/system data by running commands such as whoami and quser (‘whoami /all > ../Client/qmc/fonts/qle.ttf’)

Indicators of Compromise

  • [File name] exploitation artefacts – qle.ttf, qle.woff (font files used to store command output in ../Client/qmc/fonts/)
  • [File path] compromised locations – ../Client/qmc/fonts/qle.ttf (example path where command output was redirected)
  • [Config file] version fingerprinting – product-info.json (retrieved from /resources/autogenerated/product-info.json?.ttf to extract releaseLabel/version)
  • [Vulnerability identifiers] exploited flaws – CVE-2023-48365, CVE-2023-41265 (ZeroQlik), and CVE-2023-41266 (examples mentioned)
  • [Command examples] evidence of command execution – ‘whoami /all > ../Client/qmc/fonts/qle.ttf’, ‘quser > ../Client/qmc/fonts/qle.ttf’
  • [Source URL] original analysis – https://research.nccgroup.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/

Researchers built a practical fingerprinting workflow to identify and triage internet-exposed Qlik Sense servers: enumerate candidate hosts using Censys and Google BigQuery, then request /resources/autogenerated/product-info.json?.ttf with the Host header set to “localhost”. The ?.ttf suffix exploits the server’s unauthenticated font handling so the proxy returns the product-info.json; a successful HTTP 200 response with JSON reveals releaseLabel and version, while an HTTP 302 “Authenticate at this location” indicates the instance is likely patched against CVE-2023-48365.

Using the version information, servers were classified against vendor advisories and end-of-support labels to determine vulnerability to ZeroQlik/DoubleQlik (CVE-2023-41265 / CVE-2023-48365). The team flagged instances as non-vulnerable if their release label dated post-November 2023 or if the resource redirected with HTTP 302; other responses were ignored as non-Qlik instances. This scanning found 5,205 Qlik servers online and 3,143 still at risk as of 17 April 2024.

Separately, incident responders observed Cactus operators executing Windows commands and redirecting output into font files (e.g., qle.ttf, qle.woff) under the Qlik fonts directory — a deliberate masquerading technique because font files are publicly readable and not part of default installs. Presence of these files (122 servers found) is a reliable indicator of compromise. Recommended actions: extract product-info.json to audit versions, apply vendor patches or upgrade EOS systems, search for qle.ttf/qle.woff in the fonts directory as IOCs, and restrict public access (IP whitelisting or internal-only access). Read more: https://research.nccgroup.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/