Fraud Management & Cybercrime , Ransomware

Cactus Ransomware Using Qlik Bugs, DanaBot in Latest Attacks

Operators Exploit Flaws in Data Analytics Platform to Access Corporate Networks
Cactus Ransomware Using Qlik Bugs, DanaBot in Latest Attacks
Operators of Cactus ransomware are staying active, security researchers say. (Image: Shutterstock)

Operators of a new ransomware strain dubbed Cactus are using critical vulnerabilities in a data analytics platform to gain access to corporate networks. Cactus ransomware operators are also getting an assist from deploying Danabot malware that is distributed through malvertising.

See Also: The Cost of Underpreparedness to Your Business

Cactus ransomware first emerged in March and adopted a double-extortion tactic - stealing and encrypting data. It has visibly ramped up operations in the past few months and has participated in a surge of ransomware activities this fall, setting record-breaking levels of ransomware attacks. Cactus listed 33 victims in September, U.K.-based cybersecurity firm NCC Group said in October (see: Known Ransomware Attack Volume Breaks Monthly Record, Again).

Cactus' campaign, which cybersecurity firm Arctic Wolf said affects data analytics platform Qlik Sense, uses vulnerabilities initially detected by researchers in August. One vulnerability, identified as CVE-2023-41266, is a path traversal bug that could be exploited to generate anonymous sessions and execute unauthorized HTTP requests. Another flaw, CVE-2023-41265, has a critical-severity CVSS rating of 9.8. It does not require authentication and allows privilege escalation and execution of HTTP requests on the back-end server hosting the application.

In September, Qlik discovered that hackers could bypass the fix for CVE-2023-41265, prompting a new update for a separate vulnerability identified as CVE-2023-48365.

Arctic Wolf said that the Cactus ransomware operators exploit these security flaws to initiate new processes in the Qlik Sense Scheduler Service. The attackers download legitimate tools such as AnyDesk and Rclone to establish persistence, gain remote access and exfiltrate data. The tools and techniques used by the threat actors in this campaign align with those observed in previous Cactus ransomware incidents disclosed earlier in May by cybersecurity firm Kroll.

Danabot Handing Off Initial Access to Cactus

Microsoft Threat Intelligence on Friday said in a tweet thread that it had detected Danabot infections through malvertising leading to hands-on-keyboard activity resulting in Cactus ransomware infections.

Microsoft tracks Danabot as Storm-0216, and it is also known as Twisted Spider and UNC2198.

"Storm-0216 has historically received handoffs from Qakbot operators but has since pivoted to leveraging different malware for initial access, likely a consequence of the Qakbot infrastructure takedown," Microsoft said (see: Operation 'Duck Hunt' Dismantles Qakbot).

Researchers first observed this Danabot campaign in November. The malware collects user credentials and other information that it sends to command and control, "followed by lateral movement via RDP sign-in attempts, eventually leading to a handoff to Storm-0216," Microsoft said.

Storm-0216 previously has been linked to the Maze Cartel, which was created when Twisted Spider, Viking Spider and the operators of LockBit ransomware entered into an apparent collaborative business arrangement. The group also deployed Maze or Egregor ransomware in its earlier attacks.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.