Security experts are urgently warning about the vulnerability of thousands of Qlik Sense servers to potential ransomware attacks by the troubling Cactus group. Despite prior disclosures of vulnerabilities by Qlik, many organisations remain at risk due to unpatched systems.
Qlik, an eminent player in data visualisation and business intelligence, disclosed two critical vulnerabilities, known as CVE-2023-41266 and CVE-2023-41265, in August last year. These flaws, when exploited together, enable remote attackers to execute arbitrary code on vulnerable systems. Additionally, a subsequent disclosure in September, CVE-2023-48365, revealed a bypass of Qlik's initial fix, leaving systems vulnerable to exploitation.
Recent reports highlight the active exploitation of these vulnerabilities by the Cactus ransomware group to infiltrate target environments. Despite warnings from security vendors like Arctic Wolf, ongoing attacks persist. A recent scan by Fox-IT uncovered over 5,000 internet-accessible Qlik Sense servers, with a significant portion still vulnerable to exploitation.
Countries such as the US, Italy, Brazil, Netherlands, and Germany face a concerning number of vulnerable servers, elevating the risk for organisations in these regions. In response, security organisations like Fox-IT and the Dutch Institute for Vulnerability Disclosure (DIVD) have launched efforts under Project Melissa to disrupt Cactus group operations.
Upon identifying vulnerable servers, Fox-IT and DIVD have actively notified affected organisations, urging immediate action to mitigate the risk of a ransomware attack. Joining the effort, the ShadowServer Foundation emphasises the urgent need for remediation to prevent compromise.
To assist organisations in identifying potential compromise, specific indicators such as the presence of unusual font files, qle.ttf and qle.woff, have been highlighted. These files, not standard in Qlik Sense installations, may indicate unauthorised access or remnants of previous security incidents.
In recognizing the gravity of the situation, Fox-IT stressed the need for proactive measures to address the potential risks of ransomware attacks. These measures include promptly patching vulnerable systems to fix known security issues and conducting thorough security assessments to identify and resolve any existing weaknesses in the network infrastructure.
Additionally, organisations are encouraged to implement robust cybersecurity measures, such as deploying intrusion detection and prevention systems, enhancing network segmentation to limit the impact of potential breaches, and enforcing strong access controls to prevent unauthorised access to sensitive data.
Regular employee training and awareness programs play a crucial role in identifying and mitigating security risks, including phishing attacks or social engineering attempts. By educating employees about the latest cybersecurity threats and best practices, organisations can strengthen their overall security posture and reduce the risk of successful ransomware attacks.
Moreover, maintaining up-to-date backups of critical data is essential to ensure data integrity and facilitate recovery in the event of a ransomware attack. Organisations should establish a comprehensive backup strategy that includes regular backups, secure storage of backup data, and testing of backup restoration procedures to ensure their effectiveness.
Given these developments, the collective efforts of security organisations, alongside proactive measures by organisations, are critical in mitigating the risk posed by the Cactus ransomware group and similar threats.
Recently, Apple users have been struggling with this very issue, as widespread reports of forced password resets have surfaced.
If you've been locked out of your Apple ID in the last day or so without warning, you're not alone
Apple users have been suffering a wave of forced lockouts, with some indicating that they have been forced to reset their passwords to regain access.
The lockouts have resulted in customers losing access to their devices, but there appears to be no root cause or anything in common across incidents, and Apple has yet to comment on the matter.
The company's System Status website indicates that all services are "operating normally," with Apple ID services particularly listed as "available."
If your Apple ID has locked you out, you might panic and try your usual password, but it’s useless. You’re left staring at the blank “Incorrect Password” message. What gives?
The cause behind these lockouts remains hidden in mystery. Experts believe it’s a security measure triggered by suspicious activity, while others suspect a glitch in the matrix. Regardless, the concern is real. Users have taken to social media, sharing their stories of being shut.
If your Apple ID has been blocked out and you must change your password, any app-specific passwords you may have created will also need to be reset. That's something you'll have to do whether you utilize apps like Spark Mail, Fantastical, or any number of others.
It could potentially cause significant issues if you use iOS 17.3's Stolen Device Protection. You'll need to use biometrics on your iPhone, such as Face ID or Touch ID, to access your account or use Apple Pay.
As the lockout story falls out, Apple has remained silent. No official statements, no explanations. The tech giant continues to operate, but the users are panicking to regain control of their digital lives. Is it a glitch? A security enhancement? At this moment, we can only wait for Apple’s response
1. Reset Your Password: Change the password. But remember the app-specific ones too.
2. Biometrics: If you’ve set up Face ID or Touch ID, use them to reclaim your digital ID.
3. Stay Tuned: Keep an eye on Apple’s official channels.
The digital society we live in has made it abundantly clear that being cautious about online activities goes beyond avoiding suspicious links. Recent findings by cybersecurity researchers have surfaced a new ransomware threat that exploits web browsers, potentially putting users' files at risk.
The Rising Threat
Modern web browsers like Google Chrome and Microsoft Edge offer advanced functionalities, allowing users to seamlessly interact with various online services, from email to multimedia streaming. However, these capabilities also open doors for hackers to manipulate browsers and gain unauthorised access to users' local file systems.
What Is The Risk?
The File System Access API, utilised by browsers, enables web applications to interact with users' files. This means that uploading files to seemingly benign online tools could inadvertently grant hackers access to personal data stored on the user's computer.
The Implications
Imagine using an online photo editing tool. Uploading files for editing could inadvertently expose your entire file system to malicious actors, who could then encrypt your files and demand ransom for decryption.
The Scale of the Issue
Ransomware attacks have become increasingly prevalent, targeting individuals and organisations across various sectors. In 2023 alone, organisations paid over $1.1 billion in ransomware payments, highlighting the urgent need for robust cybersecurity measures.
Addressing the Threat
Researchers at the Cyber-Physical Systems Security Lab at Florida International University have been investigating this new breed of ransomware. Their findings, presented at the USENIX Security Symposium, underscore the severity of the threat posed by browser-based ransomware.
Recommended Practices
The research team proposed three defence approaches to mitigate the risk of browser-based ransomware. These strategies focus on detecting and preventing malicious activity at the browser, file system, and user levels, offering a multi-layered defence mechanism against potential attacks.
1. Temporarily Halting Web Applications:
This approach involves temporarily suspending a web application's activity within the browser to detect any suspicious behavior related to file encryption. By monitoring the application's actions, security systems can identify and interrupt potential ransomware activity before it causes significant damage. This measure enables users to maintain control over their files and prevent unauthorised access by any threat actors.
2. Monitoring Web Application Activity:
In addition to halting web applications, this defense strategy focuses on continuously monitoring their activity on users' computers. By analysing patterns and behaviours associated with ransomware attacks, security systems can easily detect and respond to any anomalous activities. This real-time monitoring ensures timely intervention and minimizes the impact of browser-based ransomware on users' systems.
3. Introducing Permission Dialog Boxes:
To empower users with greater control over their file system access, this approach proposes the implementation of permission dialogue boxes. When a web application requests access to the user's local files, a dialogue box prompts the user to approve or deny the request, along with providing information about the associated risks and implications. By promoting user awareness and informed decision-making, this measure ensures security posture and reduces the likelihood of inadvertent file exposure to ransomware threats.
As technology continues to transform, so do the tactics employed by cybercriminals. By staying informed and implementing proactive cybersecurity measures, users can safeguard their digital assets against threats like browser-based ransomware.
Every day, Microsoft analyzes over 78 trillion security signals to gain a deeper understanding of the current threat pathways and methodologies. Since last year, we've seen a shift in how threat actors scale and use nation-state backing. It's apparent that companies are facing more threats than ever before, and attack chains are becoming more complicated. Dwell times have decreased, and tactics, techniques, and procedures (TTPs) have evolved to be more agile and evasive.
Based on these findings, here are five attack trends that end-user organizations should be watching regularly.
Some threat actor organizations prioritize stealth by using tools and processes that are already installed on their victims' systems. This enables attackers to fly under the radar and go undiscovered by concealing their operations among other threat actors that use similar approaches to launch assaults.
Volt Typhoon, a Chinese state-sponsored actor, is an example of this trend, having made news for targeting US critical infrastructure using living-off-the-land practices.
Nation-state actors have also developed a new type of tactics that blends cyber and influence operations (IO) techniques. This hybrid, known as "cyber-enabled influence operations," combines cyber methods such as data theft, defacement, distributed denial-of-service, and ransomware with influence methods such as data leaks, sockpuppets, victim impersonation, misleading social media posts, and malicious SMS/email communication to boost, exaggerate, or compensate for weaknesses in adversaries' network access or cyberattack capabilities.
For example, Microsoft has noticed various Iranian actors trying to use bulk SMS texting to increase and psychologically impact their cyber-influence activities. We're also seeing more cyber-enabled influence operations attempt to imitate alleged victim organizations or key figures inside those organizations to lend legitimacy to the impacts of the malware or compromise.
The increased use of small-office/home-office (SOHO) network edge devices is especially relevant for distributed or remote employees. Threat actors are increasingly using target SOHO devices—such as the router at a local coffee shop—to assemble hidden networks.
Some adversaries will even employ programs to locate susceptible endpoints around the world and identify potential targets for their next attack. This approach complicates attribution by having attacks appear from almost anywhere.
Microsoft has noticed an increase in the number of nation-state subgroups using publicly released proof-of-concept (POC) code to exploit vulnerabilities in Internet-facing apps.
This tendency can be seen in threat groups such as Mint Sandstorm, an Iranian nation-state actor that quickly exploited N-day vulnerabilities in common corporate systems and launched highly focused phishing attacks to get speedy and effective access to target environments.
We've noticed a persistent trend toward ransomware expertise. Rather than conducting an end-to-end ransomware campaign, threat actors are focusing on a limited set of skills and services.
This specialization has a breaking effect, distributing components of a ransomware attack across different vendors in a complicated underground market. Companies can no longer think of ransomware attacks as originating from a single threat actor or group.
Instead, they might be attacking the entire ransomware-as-a-service ecosystem. In response, Microsoft Threat Intelligence now tracks ransomware providers individually, identifying which groups deal in initial access and which supply additional services.
As cyber defenses seek better ways to strengthen their security stance, it is critical to look to and learn from past trends and breaches. By examining these occurrences and understanding different attackers' motivations and preferred TTPs, we can better prevent such breaches in the future.
The IT services firm's most recent Cyber Security in Critical National Infrastructure report is based on interviews with over 1000 CISOs and equivalents from CNI providers in the United States and the United Kingdom.
It found that over a third (31%) identified "trust in cybersecurity tools" as a key challenge this year, up 121% from the 2023 edition of the survey.
Confidence in tools took a hit last year when the UK joined the US and other nations in warning providers of key services about China-backed action against CNI, according to the research.
74% of respondents expressed fear about Chinese state actors, which is comparable to 73% anxiety about Russian state operatives.
These worries are likely to have been heightened recently, with the United States warning in February that Chinese agents have pre-positioned themselves in several CNI networks to unleash damaging strikes in the event of a military conflict.
Budgets have declined in tandem with trust in tooling. According to the research, the share of IT (33%) and OT (30%) budgets set aside for cybersecurity has dropped drastically from 44% and 43% the previous year, respectively.
The dramatic reduction is evident across the board, from new recruits to training and risk assessments to technological investments.
Despite these financial challenges, nearly a third (30%) of CNI respondents who were victims of a ransomware attack last year informed Bridewell that they paid the extortionists.
Bridewell cautioned that, in addition to the fees, CNI enterprises could face legal consequences.
Ransom payments could, for example, be sent to persons facing legal repercussions from the United Kingdom, the United States, or the European Union. The UK's Office of Financial Sanctions Implementation has warned that payments may violate the law in other jurisdictions, according to the report.
Interestingly, more than a quarter (27%) of respondents reported that ransomware intrusions had a psychological impact on employees.
Bridewell CEO Anthony Young expressed sympathy for those firms that do wind up paying.
If the firm is unable to recover, paying the ransom may be the only viable alternative for resuming operations short of reinstalling its systems from the start, he argued.
However, this tough decision can be avoided by implementing a security plan that reduces the possibility of threat actors obtaining access and moving through your systems without being detected and effectively removed.
In recent warnings issued by the Department of Homeland Security (DHS), a concerning trend has emerged: emergency services are increasingly vulnerable to cyber-attacks, particularly ransomware incidents. These attacks pose significant risks not only to operational efficiency but also to public safety and the security of personal information.
Ransomware attacks, for those unfamiliar, involve hackers infiltrating computer systems and encrypting data, demanding payment for its release. Emergency services, including police departments and 911 call centres, have become prime targets for these attacks, leading to severe disruptions in critical operations. Picture a scenario where accessing emergency services during a crisis becomes impossible due to system outages—it's a frightening reality that stresses upon the urgency of addressing cybersecurity vulnerabilities.
The repercussions extend beyond mere operational disruptions. Cybercriminals gain access to highly sensitive personal information and police records, which can be exploited for various illicit activities, including identity theft and extortion. Such breaches not only compromise individuals' privacy but also undermine law enforcement's ability to effectively respond to emergencies, posing a significant threat to public safety.
One of the primary challenges in combating these cyber threats lies in the lack of resources and expertise at the local level. Many state and local governments, responsible for managing emergency service networks, struggle to keep pace with the rapidly expanding aspects of cybersecurity. Outdated technology systems and a shortage of cybersecurity personnel exacerbate the problem, leaving critical infrastructure vulnerable to exploitation by malicious actors.
Recent incidents in Bucks County, Pennsylvania, and Fulton County, Georgia, serve as stark reminders of the vulnerabilities within emergency services. In Bucks County, dispatchers were compelled to resort to manual processes after a cyberattack paralysed the 911 system, while Fulton County endured widespread disruption to government services following a cyber intrusion.
To address these challenges effectively, collaboration and preparedness are the key. Communities must prioritise cybersecurity measures, investing in modern technology systems, and providing comprehensive training for personnel to identify and respond to cyber threats promptly.
As society continues to rely increasingly on digital foundation, safeguarding critical services, particularly emergency response systems, becomes imperative. By remaining vigilant and proactive, we can fortify our communities against cyber threats, ensuring that emergency assistance remains readily accessible, even in the face of malicious cyber activity.