Many organizations remain dangerously vulnerable to the Cactus ransomware group, despite security researchers warning of the threat five months ago. The Cactus ransomware group exploits three vulnerabilities in QlikSense's data analytics and business intelligence platform. Two vulnerabilities were released in August and September by Qlik, which were identified as CVE-2023-41266 and CVE-2023-41265. In August, the company disclosed two vulnerabilities in multiple versions of Qlik Sense Enterprise for Windows that CVE-2023-41266 and CVE-2023-41265 tracked. 

As a result of these vulnerabilities, an attacker can execute arbitrary code on affected systems remotely, unauthenticated, and in a chain. A vulnerability in Qlik CVE-2023-48365 was released in September, which proved to be a bypass of Qlik's fix for the two previously disclosed flaws from August. Two months later, Arctic Wolf reported that operators of the Cactus ransomware had exploited the three vulnerabilities to gain a foothold in targeted systems by exploiting the three vulnerabilities. 

During that period, the vendor was alerting customers of multiple instances of receiving attacks through Qlik Sense vulnerabilities and warned of a rapidly developing Cactus group campaign at the time. It appears that many organizations have not received the memo yet, as a scan conducted by Fox-IT on April 17 revealed that of the 5,205 QlikSense servers that were still susceptible to the exploits of Cactus Group on April 17, there were still 3,143 still vulnerable.

It appears that the majority of those vulnerable servers are found in the countries which have a relatively high number of QlikSense servers, such as Italy, which has 280 exposed servers, Brazil, which has 244 exposed servers, the Netherlands and Germany, which both have 241 exposed servers each. There have been reports that threat actors have been targeting QlikSense servers with software vulnerabilities, and are misleading victims with elaborate stories, as reported by Cyber Security News. 

The reports by Shadowserver indicate that approximately 5,200 Qlik servers are exposed to the internet, of which 3,100 are vulnerable to exploitation by Cactus and the Cactus group. There have been 241 compromised systems identified in the Netherlands by threat actors, and 6 of them have already been compromised. An existing Nuclei template could be used to identify vulnerable QlikSense servers that are exposed to the Internet to identify vulnerable QlikSense servers. 

Using this template, multiple research steps were involved in identifying the list of servers and compromised servers. It was researchers who found vulnerable servers using the “product-info.json” file. As a result of the release label and version numbers in this file, it can be assumed that the exact version of the running QlikSense server could be revealed within this file.

Additionally, the release label parameter contains information such as "February 2022 Patch 3" which indicates that the latest update has been provided to Qlik Sense as well as the relevant advisory system. Using the cURL command, the below .ttf (True Type Font) file can be used to retrieve this information from the product-info.json file. It specifies that a .ttf file will be used to point the request to that file. You can access font files without having to authenticate on QlikSense servers, and you can bypass a 400 bad request response by using the “Host: localhost” parameter. 

The server that has been patched will return a message of “302 Authenticate at this location” in response, while the vulnerable server will return a 200 OK response, containing information regarding the file. Moreover, a response of 302 or a release label parameter of a Qlik server that contains the content of “November 2023” is considered non-vulnerable. Consequently, Fox-IT discovered thousands of vulnerable servers as a result of its research. 

The information that Fox-IT collected and shared was shared with the Dutch Institute for Vulnerability Disclosure (DIVD), as well as with other Dutch authorities, NCSC and the Digital Trust Center (DTC). Besides informing victims at a national level, the DIVD also informed officials and specialists in other countries who could benefit from the information as well. There are currently 5,205 active Qlik Sense servers around the world, of which 3,143 are vulnerable to an attack via the Internet. 

The Cactus group has attacked these servers in the Netherlands in the same way every time, which implies that they are the group's preferred attack route all over the world. A total of 122 Qlik servers have been compromised so far in the campaign. Researchers report that there is a high probability that such a problem has been caused by Cactus. For these servers to be protected against this threat, they must be updated to eliminate it. 

For Dutch companies to take measures to protect themselves, the Digital Trust Center (DTC), which is part of the Ministry of Economic Affairs, notified the companies of the threat so that they could take some precautions. Several foreign cyber organizations, including the American Cybersecurity & Infrastructure Security Agency (CISA) and the FBI, were notified of the vulnerabilities by the Dutch Institute for Vulnerability Disclosure (DIVD). 

Recently, there have been several ransomware attacks on Dutch companies and institutions, which have rattled them. There were several victims among them, including the Dutch Football Association KNVB, the KNVB, the VDL Group, the Maastricht University, Hof van Twente, Radio Nederland, the Netherlands Organization of Scientific Research and Mediamarkt. In most cases, the ransom fee was requested in return for the encryption key. 

There were over 140,000 Dutch companies in the last year who were warned of specific cyber threats as a result of the Digital Trust Center. To mitigate the risk of exploitation by threat actors, organizations and users of Qlik Sense servers are advised to promptly update to the latest version following the provided security advisories.