Cactus Ransomware Using Qlik Bugs, DanaBot in Latest Attacks

Operators of a new ransomware strain dubbed Cactus are using critical vulnerabilities in a data analytics platform to gain access to corporate networks. Cactus ransomware operators are also getting an assist from deploying Danabot malware that is distributed through malvertising.

See Also: M-Trends 2023 Report

Cactus ransomware first emerged in March and adopted a double-extortion tactic – stealing and encrypting data. It has visibly ramped up operations in the past few months and has participated in a surge of ransomware activities this fall, setting record-breaking levels of ransomware attacks. Cactus listed 33 victims in September, U.K.-based cybersecurity firm NCC Group said in October (see: Known Ransomware Attack Volume Breaks Monthly Record, Again).

Cactus’ campaign, which cybersecurity firm Arctic Wolf said affects data analytics platform Qlik Sense, uses vulnerabilities initially detected by researchers in August. One vulnerability, identified as CVE-2023-41266, is a path traversal bug that could be exploited to generate anonymous sessions and execute unauthorized HTTP requests. Another flaw, CVE-2023-41265, has a critical-severity CVSS rating of 9.8. It does not require authentication and allows privilege escalation and execution of HTTP requests on the back-end server hosting the application.

In September, Qlik discovered that hackers could bypass the fix for CVE-2023-41265, prompting a new…