Security experts are urgently warning about the vulnerability of thousands of Qlik Sense servers to potential ransomware attacks by the troubling Cactus group. Despite prior disclosures of vulnerabilities by Qlik, many organisations remain at risk due to unpatched systems.
Qlik, an eminent player in data visualisation and business intelligence, disclosed two critical vulnerabilities, known as CVE-2023-41266 and CVE-2023-41265, in August last year. These flaws, when exploited together, enable remote attackers to execute arbitrary code on vulnerable systems. Additionally, a subsequent disclosure in September, CVE-2023-48365, revealed a bypass of Qlik's initial fix, leaving systems vulnerable to exploitation.
Recent reports highlight the active exploitation of these vulnerabilities by the Cactus ransomware group to infiltrate target environments. Despite warnings from security vendors like Arctic Wolf, ongoing attacks persist. A recent scan by Fox-IT uncovered over 5,000 internet-accessible Qlik Sense servers, with a significant portion still vulnerable to exploitation.
Countries such as the US, Italy, Brazil, Netherlands, and Germany face a concerning number of vulnerable servers, elevating the risk for organisations in these regions. In response, security organisations like Fox-IT and the Dutch Institute for Vulnerability Disclosure (DIVD) have launched efforts under Project Melissa to disrupt Cactus group operations.
Upon identifying vulnerable servers, Fox-IT and DIVD have actively notified affected organisations, urging immediate action to mitigate the risk of a ransomware attack. Joining the effort, the ShadowServer Foundation emphasises the urgent need for remediation to prevent compromise.
To assist organisations in identifying potential compromise, specific indicators such as the presence of unusual font files, qle.ttf and qle.woff, have been highlighted. These files, not standard in Qlik Sense installations, may indicate unauthorised access or remnants of previous security incidents.
In recognizing the gravity of the situation, Fox-IT stressed the need for proactive measures to address the potential risks of ransomware attacks. These measures include promptly patching vulnerable systems to fix known security issues and conducting thorough security assessments to identify and resolve any existing weaknesses in the network infrastructure.
Additionally, organisations are encouraged to implement robust cybersecurity measures, such as deploying intrusion detection and prevention systems, enhancing network segmentation to limit the impact of potential breaches, and enforcing strong access controls to prevent unauthorised access to sensitive data.
Regular employee training and awareness programs play a crucial role in identifying and mitigating security risks, including phishing attacks or social engineering attempts. By educating employees about the latest cybersecurity threats and best practices, organisations can strengthen their overall security posture and reduce the risk of successful ransomware attacks.
Moreover, maintaining up-to-date backups of critical data is essential to ensure data integrity and facilitate recovery in the event of a ransomware attack. Organisations should establish a comprehensive backup strategy that includes regular backups, secure storage of backup data, and testing of backup restoration procedures to ensure their effectiveness.
Given these developments, the collective efforts of security organisations, alongside proactive measures by organisations, are critical in mitigating the risk posed by the Cactus ransomware group and similar threats.
