Adrian Johnson
TLDR:
- Many organizations are still vulnerable to Cactus ransomware due to unpatched Qlik Sense servers
- Qlik had disclosed vulnerabilities in August and September 2023, but Cactus actors have been exploiting them
Thousands of Qlik Sense servers remain open to Cactus ransomware, despite Qlik patching the vulnerabilities last year. The vulnerabilities, tracked as CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, allow remote attackers to execute arbitrary code on affected systems. Despite warnings from security researchers and organizations like Arctic Wolf, many organizations have not patched their servers. A scan by Fox-IT revealed 3,143 internet-accessible Qlik Sense servers that were still vulnerable to Cactus group’s exploits. Countries with a high number of vulnerable servers include the US, Italy, Brazil, Netherlands, and Germany.
Project Melissa, a collaborative effort in the Netherlands, is working to disrupt Cactus group operations. Security organizations like Fox-IT and ShadowServer Foundation are reaching out to potentially compromised organizations. ShadowServer issued a critical alert warning of a high likelihood of compromise for unremediated servers. Fox-IT identified at least 122 likely compromised Qlik Sense instances, with the majority located in the US, Spain, and Italy. It’s crucial for organizations to take action to secure their Qlik Sense servers to prevent potential ransomware attacks.
Overall, organizations need to prioritize patching their Qlik Sense servers and staying informed about security threats like Cactus ransomware to prevent potential data breaches and financial losses.
