Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cactus ransomware. Show all posts
Qlik Servers
Backups Cactus ransomware Cyber Security Data Theft Qlik Servers

Qlik Sense Servers Prone To Cactus Ransomware Threats

 


Security experts are urgently warning about the vulnerability of thousands of Qlik Sense servers to potential ransomware attacks by the troubling Cactus group. Despite prior disclosures of vulnerabilities by Qlik, many organisations remain at risk due to unpatched systems.

Qlik, an eminent player in data visualisation and business intelligence, disclosed two critical vulnerabilities, known as CVE-2023-41266 and CVE-2023-41265, in August last year. These flaws, when exploited together, enable remote attackers to execute arbitrary code on vulnerable systems. Additionally, a subsequent disclosure in September, CVE-2023-48365, revealed a bypass of Qlik's initial fix, leaving systems vulnerable to exploitation.

Recent reports highlight the active exploitation of these vulnerabilities by the Cactus ransomware group to infiltrate target environments. Despite warnings from security vendors like Arctic Wolf, ongoing attacks persist. A recent scan by Fox-IT uncovered over 5,000 internet-accessible Qlik Sense servers, with a significant portion still vulnerable to exploitation.

Countries such as the US, Italy, Brazil, Netherlands, and Germany face a concerning number of vulnerable servers, elevating the risk for organisations in these regions. In response, security organisations like Fox-IT and the Dutch Institute for Vulnerability Disclosure (DIVD) have launched efforts under Project Melissa to disrupt Cactus group operations.

Upon identifying vulnerable servers, Fox-IT and DIVD have actively notified affected organisations, urging immediate action to mitigate the risk of a ransomware attack. Joining the effort, the ShadowServer Foundation emphasises the urgent need for remediation to prevent compromise.

To assist organisations in identifying potential compromise, specific indicators such as the presence of unusual font files, qle.ttf and qle.woff, have been highlighted. These files, not standard in Qlik Sense installations, may indicate unauthorised access or remnants of previous security incidents.

In recognizing the gravity of the situation, Fox-IT stressed the need for proactive measures to address the potential risks of ransomware attacks. These measures include promptly patching vulnerable systems to fix known security issues and conducting thorough security assessments to identify and resolve any existing weaknesses in the network infrastructure.

Additionally, organisations are encouraged to implement robust cybersecurity measures, such as deploying intrusion detection and prevention systems, enhancing network segmentation to limit the impact of potential breaches, and enforcing strong access controls to prevent unauthorised access to sensitive data.

Regular employee training and awareness programs play a crucial role in identifying and mitigating security risks, including phishing attacks or social engineering attempts. By educating employees about the latest cybersecurity threats and best practices, organisations can strengthen their overall security posture and reduce the risk of successful ransomware attacks.

Moreover, maintaining up-to-date backups of critical data is essential to ensure data integrity and facilitate recovery in the event of a ransomware attack. Organisations should establish a comprehensive backup strategy that includes regular backups, secure storage of backup data, and testing of backup restoration procedures to ensure their effectiveness.

Given these developments, the collective efforts of security organisations, alongside proactive measures by organisations, are critical in mitigating the risk posed by the Cactus ransomware group and similar threats.


Read more »
Vulnerabilities and Exploits
Cactus ransomware Cyber Servers Cyberattacks CyberCrime Cybersecurity CyberThreat Data Expose Qlik Servers Vulnerabilities and Exploits

Cactus Ransomware Exposes Thousands of Vulnerable Qlik Sense Servers

 


Many organizations remain dangerously vulnerable to the Cactus ransomware group, despite security researchers warning of the threat five months ago. The Cactus ransomware group exploits three vulnerabilities in QlikSense's data analytics and business intelligence platform. Two vulnerabilities were released in August and September by Qlik, which were identified as CVE-2023-41266 and CVE-2023-41265. In August, the company disclosed two vulnerabilities in multiple versions of Qlik Sense Enterprise for Windows that CVE-2023-41266 and CVE-2023-41265 tracked. 

As a result of these vulnerabilities, an attacker can execute arbitrary code on affected systems remotely, unauthenticated, and in a chain. A vulnerability in Qlik CVE-2023-48365 was released in September, which proved to be a bypass of Qlik's fix for the two previously disclosed flaws from August. Two months later, Arctic Wolf reported that operators of the Cactus ransomware had exploited the three vulnerabilities to gain a foothold in targeted systems by exploiting the three vulnerabilities. 

During that period, the vendor was alerting customers of multiple instances of receiving attacks through Qlik Sense vulnerabilities and warned of a rapidly developing Cactus group campaign at the time. It appears that many organizations have not received the memo yet, as a scan conducted by Fox-IT on April 17 revealed that of the 5,205 QlikSense servers that were still susceptible to the exploits of Cactus Group on April 17, there were still 3,143 still vulnerable.

It appears that the majority of those vulnerable servers are found in the countries which have a relatively high number of QlikSense servers, such as Italy, which has 280 exposed servers, Brazil, which has 244 exposed servers, the Netherlands and Germany, which both have 241 exposed servers each. There have been reports that threat actors have been targeting QlikSense servers with software vulnerabilities, and are misleading victims with elaborate stories, as reported by Cyber Security News. 

The reports by Shadowserver indicate that approximately 5,200 Qlik servers are exposed to the internet, of which 3,100 are vulnerable to exploitation by Cactus and the Cactus group. There have been 241 compromised systems identified in the Netherlands by threat actors, and 6 of them have already been compromised. An existing Nuclei template could be used to identify vulnerable QlikSense servers that are exposed to the Internet to identify vulnerable QlikSense servers. 

Using this template, multiple research steps were involved in identifying the list of servers and compromised servers. It was researchers who found vulnerable servers using the “product-info.json” file. As a result of the release label and version numbers in this file, it can be assumed that the exact version of the running QlikSense server could be revealed within this file.

Additionally, the release label parameter contains information such as "February 2022 Patch 3" which indicates that the latest update has been provided to Qlik Sense as well as the relevant advisory system. Using the cURL command, the below .ttf (True Type Font) file can be used to retrieve this information from the product-info.json file. It specifies that a .ttf file will be used to point the request to that file. You can access font files without having to authenticate on QlikSense servers, and you can bypass a 400 bad request response by using the “Host: localhost” parameter. 

The server that has been patched will return a message of “302 Authenticate at this location” in response, while the vulnerable server will return a 200 OK response, containing information regarding the file. Moreover, a response of 302 or a release label parameter of a Qlik server that contains the content of “November 2023” is considered non-vulnerable. Consequently, Fox-IT discovered thousands of vulnerable servers as a result of its research. 

The information that Fox-IT collected and shared was shared with the Dutch Institute for Vulnerability Disclosure (DIVD), as well as with other Dutch authorities, NCSC and the Digital Trust Center (DTC). Besides informing victims at a national level, the DIVD also informed officials and specialists in other countries who could benefit from the information as well. There are currently 5,205 active Qlik Sense servers around the world, of which 3,143 are vulnerable to an attack via the Internet. 

The Cactus group has attacked these servers in the Netherlands in the same way every time, which implies that they are the group's preferred attack route all over the world. A total of 122 Qlik servers have been compromised so far in the campaign. Researchers report that there is a high probability that such a problem has been caused by Cactus. For these servers to be protected against this threat, they must be updated to eliminate it. 

For Dutch companies to take measures to protect themselves, the Digital Trust Center (DTC), which is part of the Ministry of Economic Affairs, notified the companies of the threat so that they could take some precautions. Several foreign cyber organizations, including the American Cybersecurity & Infrastructure Security Agency (CISA) and the FBI, were notified of the vulnerabilities by the Dutch Institute for Vulnerability Disclosure (DIVD). 

Recently, there have been several ransomware attacks on Dutch companies and institutions, which have rattled them. There were several victims among them, including the Dutch Football Association KNVB, the KNVB, the VDL Group, the Maastricht University, Hof van Twente, Radio Nederland, the Netherlands Organization of Scientific Research and Mediamarkt. In most cases, the ransom fee was requested in return for the encryption key. 

There were over 140,000 Dutch companies in the last year who were warned of specific cyber threats as a result of the Digital Trust Center. To mitigate the risk of exploitation by threat actors, organizations and users of Qlik Sense servers are advised to promptly update to the latest version following the provided security advisories.
Read more »
Schneider Electric
Cactus ransomware Cyber Threats Cybersecurity Hackers malware Schneider Electric

Cactus Ransomware Strikes Schneider Electric, Demands Ransom

 


In a recent cyber attack, the Cactus ransomware group claims to have infiltrated Schneider Electric's Sustainability Business division, stealing a substantial 1.5 terabytes of data. The breach, which occurred on January 17th, has raised concerns as the gang now threatens to expose the stolen information if a ransom is not paid.

The ransomware group has already leaked 25MB of allegedly pilfered data on its dark web leak site, showcasing American citizens' passports and scans of non-disclosure agreement documents. Schneider Electric, a French multinational specialising in energy management and automation, is being coerced by the hackers to meet their ransom demand to prevent further leaks.

While the specific nature of the stolen data remains unknown, Schneider Electric's Sustainability Business division provides services related to renewable energy and regulatory compliance for major global companies such as Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart. This implies that the compromised data might include sensitive information about customers' industrial control and automation systems and details regarding environmental and energy regulations compliance.

Cactus ransomware, a relatively new player in the cybercrime landscape, emerged in March 2023, employing double-extortion attacks. The group gains access to corporate networks through various means, including purchased credentials, partnerships with malware distributors, phishing attacks, or exploiting security vulnerabilities.

Once inside a target's network, the hackers navigate through the compromised system, stealing sensitive data to use as leverage in ransom negotiations. Since its inception, Cactus ransomware has targeted over 100 companies, leaking data online or threatening to do so while still engaging in ransom negotiations.

This incident is not the first time Schneider Electric has fallen victim to cyber threats. In the past, the company experienced data theft attacks orchestrated by the Clop ransomware, impacting over 2,700 other organisations. Schneider Electric, with a workforce exceeding 150,000 people globally, reported a substantial $28.5 billion in revenue in 2023.

Both companies and individuals need to stay alert to potential threats. Cybersecurity experts stress the significance of adopting strong security practices, regularly updating computer programs, and ensuring employees are well informed about potential risks. These measures are crucial for minimising the potential fallout from ransomware attacks, underlining the need for a proactive approach to safeguarding digital assets.

The Cactus ransomware attack on Schneider Electric is a stark reminder of the increasing sophistication and frequency of cyber threats in today's digital age. Businesses and individuals must prioritise cybersecurity to safeguard sensitive information and prevent financial and reputational damage.


Read more »
Twisted Spider
Cactus ransomware cyber attack Cyber Attacks Ransomware Twisted Spider

Twisted Spider's Dangerous CACTUS Ransomware Attack

In a sophisticated cyber campaign, the group Twisted Spider, also recognized as Storm-0216, has joined forces with the cybercriminal faction Storm-1044. Employing a strategic method, they target specific endpoints through the deployment of an initial access trojan known as DanaBot. 

Subsequently, Twisted Spider leverages this initial access to execute the deployment of the CACTUS ransomware. Recent insights from Microsoft Threat Intelligence on X shed light on Storm-0216's tactics. Operating under aliases such as Twisted Spider or UNC2198, this ransomware entity employs an advanced banking Trojan, Danabot. This intricate pairing of cyber threats showcases the evolving and complex nature of Twisted Spider's malicious endeavors. 

Additionally, the security researchers highlighted the adaptive tactics of Storm-0216, which was previously recognized for utilizing QakBot's infrastructure for infections. However, following the dismantling of this operation by law enforcement last summer, the group was compelled to pivot to a different platform. 

The latest Danabot campaign, initially identified in November, indicates a notable shift. Unlike the previous malware-as-a-service model, the group appears to be using a private version of the info-stealing malware. Microsoft explained that DanaBot, known for providing hands-on keyboard activity to its partners, has undergone a transformation in its deployment strategy. 

This shift underscores the group's remarkable adaptability and capacity to evolve tactics, particularly in response to interventions by law enforcement. The ability to navigate and adjust strategies highlights the dynamic nature of cyber threats and the constant cat-and-mouse game between cybercriminals and those working to counteract their activities. 

Let’s Understand the Method of the Attack 

Upon obtaining the essential login credentials, the Storm-1044 group initiates lateral movement across the network and various endpoints through Remote Desktop Protocol (RDP) sign-in attempts. Once the initial access has been secured, the baton is passed to Twisted Spider. Subsequently, Twisted Spider proceeds to compromise the endpoints by introducing the CACTUS ransomware. 

What is CACTUS Ransomware? 

CACTUS is emerging as a preferred option among numerous ransomware operators. Recently, Arctic Wolf researchers cautioned that hackers exploited three vulnerabilities in the Qlik Sense data analytics solution to deploy this specific variant, facilitating the theft of sensitive company data. 

Why it is More Threatening? 

In May, researchers at Kroll made a noteworthy discovery regarding the ransomware's evasion tactics. Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, revealed that CACTUS employs a unique method to bypass cybersecurity measures—it essentially encrypts itself. This self-encryption mechanism enhances its ability to evade detection, posing challenges for antivirus and network monitoring tools, as highlighted by Iacono in discussions with Bleeping Computer.
Read more »
Vulnerabilities and Exploits
Cactus operation Cactus ransomware Encryption Ransomware SSH backdoor VPN Vulnerabilities and Exploits

Cactus: New Ransomware Encrypts Itself to Evade Detection


Cactus, a newly discovered ransomware operation has apparently been exploiting vulnerabilities in VPN appliance vulnerabilities to gain initial access to the networks of "large commercial entities."

Although the new threat actor uses the usual file encryption and data stealing techniques used in ransomware attacks, it encrypts itself to evade detection by antivirus software, making it exceptionally challenging to eliminate.

Encrypted Configuration Twist

According to the cybersecurity experts at Kroll, the Cactus ransomware infiltrates its victims' networks by exploiting security flaws in VPN appliances. The researchers discovered that the hackers used compromised service accounts to access these networks through VPN servers.

The self-encryption attribute of Cactus ransomware is what makes it significant. Cactus operators utilize a batch script and the popular compression tool 7-Zip to obtain the encryptor binary to accomplish thisOnce the binary is extracted, the initial ZIP archive is eliminated, and the binary is executed with a specific parameter, making it challenging for antivirus software to identify the threat.

Kroll investigators further explain that the script is run using three separate switches: -s for initialization, -r for loading a configuration file, and -i for encryption.

Once within the targeted network, the attackers employ an SSH backdoor along with scheduled tasks to maintain their presence while conducting a number of reconnaissance operations, such as pinging remote hosts, identifying endpoints, and locating user accounts.

The Cactus ransomware executes a batch script that disables standard antivirus software in order to cause the most damage. The attackers exfiltrate files from infected PCs to a cloud server before automatically encrypting them with a PowerShell script.

While detailed information regarding the Cactus operation, the victims they target, and if the hackers follow their promise to provide a reliable decryptor if paid are not yet available, applying the most recent vendor software updates, keeping an eye out for significant data exfiltration attempts, and acting fast should guard against the most destructive and final stages of a ransomware attacks.


Read more »
Subscribe to: Posts (Atom)