Cactus Ransomware Using Qlik Bugs, DanaBot in Latest AttacksOperators Exploit Flaws in Data Analytics Platform to Access Corporate Networks
Operators of a new ransomware strain dubbed Cactus are using critical vulnerabilities in a data analytics platform to gain access to corporate networks. Cactus ransomware operators are also getting an assist from deploying Danabot malware that is distributed through malvertising.
Cactus ransomware first emerged in March and adopted a double-extortion tactic - stealing and encrypting data. It has visibly ramped up operations in the past few months and has participated in a surge of ransomware activities this fall, setting record-breaking levels of ransomware attacks. Cactus listed 33 victims in September, U.K.-based cybersecurity firm NCC Group said in October (see: Known Ransomware Attack Volume Breaks Monthly Record, Again).
Cactus' campaign, which cybersecurity firm Arctic Wolf said affects data analytics platform Qlik Sense, uses vulnerabilities initially detected by researchers in August. One vulnerability, identified as CVE-2023-41266, is a path traversal bug that could be exploited to generate anonymous sessions and execute unauthorized HTTP requests. Another flaw, CVE-2023-41265, has a critical-severity CVSS rating of 9.8. It does not require authentication and allows privilege escalation and execution of HTTP requests on the back-end server hosting the application.
In September, Qlik discovered that hackers could bypass the fix for CVE-2023-41265, prompting a new update for a separate vulnerability identified as CVE-2023-48365.
Arctic Wolf said that the Cactus ransomware operators exploit these security flaws to initiate new processes in the Qlik Sense Scheduler Service. The attackers download legitimate tools such as AnyDesk and Rclone to establish persistence, gain remote access and exfiltrate data. The tools and techniques used by the threat actors in this campaign align with those observed in previous Cactus ransomware incidents disclosed earlier in May by cybersecurity firm Kroll.
Danabot Handing Off Initial Access to Cactus
Microsoft Threat Intelligence on Friday said in a tweet thread that it had detected Danabot infections through malvertising leading to hands-on-keyboard activity resulting in Cactus ransomware infections.
"Storm-0216 has historically received handoffs from Qakbot operators but has since pivoted to leveraging different malware for initial access, likely a consequence of the Qakbot infrastructure takedown," Microsoft said (see: Operation 'Duck Hunt' Dismantles Qakbot).
Researchers first observed this Danabot campaign in November. The malware collects user credentials and other information that it sends to command and control, "followed by lateral movement via RDP sign-in attempts, eventually leading to a handoff to Storm-0216," Microsoft said.
Storm-0216 previously has been linked to the Maze Cartel, which was created when Twisted Spider, Viking Spider and the operators of LockBit ransomware entered into an apparent collaborative business arrangement. The group also deployed Maze or Egregor ransomware in its earlier attacks.