Sifting through the spines: identifying (potential) Cactus ransomware victims

This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch special interest group Cyberveilig Nederland [1]
本博客是由多家荷兰网络安全公司撰写的系列文章之一,这些公司与 Cactus 勒索软件组织合作,该组织利用 Qlik Sense 服务器进行初始访问。要查看所有这些内容,请查看荷兰特别兴趣小组 Cyberveilig Nederland 的中央博客 [ 1 ]

The effectiveness of the public-private partnership called Melissa [2] is increasingly evident. The Melissa partnership, which includes Fox-IT, has identified overlap in a specific ransomware tactic. Multiple partners, sharing information from incident response engagements for their clients, found that the Cactus ransomware group uses a particular method for initial access. Following that discovery, NCC Group’s Fox-IT developed a fingerprinting technique to identify which systems around the world are vulnerable to this method of initial access or, even more critically, are already compromised.
名为“梅丽莎”(Melissa 2 )的公私伙伴关系的有效性越来越明显。包括 Fox-IT 在内的 Melissa 合作伙伴关系已经确定了特定勒索软件策略的重叠。多个合作伙伴为其客户共享事件响应活动的信息,发现 Cactus 勒索软件组织使用特定方法进行初始访问。在这一发现之后,NCC集团的Fox-IT开发了一种指纹识别技术,以识别世界上哪些系统容易受到这种初始访问方法的攻击,或者更关键的是,哪些系统已经受到损害。

Qlik Sense vulnerabilities
Qlik Sense 漏洞

Qlik Sense, a popular data visualisation and business intelligence tool, has recently become a focal point in cybersecurity discussions. This tool, designed to aid businesses in data analysis, has been identified as a key entry point for cyberattacks by the Cactus ransomware group.
Qlik Sense 是一种流行的数据可视化和商业智能工具,最近已成为网络安全讨论的焦点。该工具旨在帮助企业进行数据分析,已被 Cactus 勒索软件组织确定为网络攻击的关键切入点。

The Cactus ransomware campaign
Cactus 勒索软件活动

Since November 2023, the Cactus ransomware group has been actively targeting vulnerable Qlik Sense servers. These attacks are not just about exploiting software vulnerabilities; they also involve a psychological component where Cactus misleads its victims with fabricated stories about the breach. This likely is part of their strategy to obscure their actual method of entry, thus complicating mitigation and response efforts for the affected organizations.
自 2023 年 11 月以来,Cactus 勒索软件组织一直在积极攻击易受攻击的 Qlik Sense 服务器。这些攻击不仅仅是利用软件漏洞;它们还涉及心理成分,仙人掌用捏造的关于违规行为的故事误导受害者。这可能是他们模糊其实际进入方法的策略的一部分,从而使受影响组织的缓解和响应工作复杂化。

For those looking for in-depth coverage of these exploits, the Arctic Wolf blog [3] provides detailed insights into the specific vulnerabilities being exploited, notably CVE-2023-41266CVE-2023-41265 also known as ZeroQlik, and potentially CVE-2023-48365 also known as DoubleQlik.
对于那些希望深入了解这些漏洞的人,Arctic Wolf 博客 [ 3 ] 提供了有关被利用的特定漏洞的详细见解,特别是 CVE-2023-41266 , CVE-2023-41265 也称为 ZeroQlik,也可能 CVE-2023-48365 称为 DoubleQlik。

Threat statistics and collaborative action
威胁统计和协作操作

The scope of this threat is significant. In total, we identified 5205 Qlik Sense servers, 3143 servers seem to be vulnerable to the exploits used by the Cactus group. This is based on the initial scan on 17 April 2024. Closer to home in the Netherlands, we’ve identified 241 vulnerable systems, fortunately most don’t seem to have been compromised. However, 6 Dutch systems weren’t so lucky and have already fallen victim to the Cactus group. It’s crucial to understand that “already compromised” can mean that either the ransomware has been deployed and the initial access artifacts left behind were not removed, or the system remains compromised and is potentially poised for a future ransomware attack.
这种威胁的范围很大。我们总共确定了 5205 台 Qlik Sense 服务器,其中 3143 台服务器似乎容易受到 Cactus 组使用的漏洞的攻击。这是基于 2024 年 4 月 17 日的初始扫描。在荷兰,我们已经确定了 241 个易受攻击的系统,幸运的是,大多数似乎没有受到损害。然而,6个荷兰系统就没有那么幸运了,已经成为仙人掌集团的受害者。重要的是要了解,“已经受到损害”可能意味着勒索软件已经部署,并且留下的初始访问工件没有被删除,或者系统仍然受到损害,并且可能为未来的勒索软件攻击做好准备。

Since 17 April 2024, the DIVD (Dutch Institute for Vulnerability Disclosure) and the governmental bodies NCSC (Nationaal Cyber Security Centrum) and DTC (Digital Trust Center) have teamed up to globally inform (potential) victims of cyberattacks resembling those from the Cactus ransomware group. This collaborative effort has enabled them to reach out to affected organisations worldwide, sharing crucial information to help prevent further damage where possible.
自 2024 年 4 月 17 日以来,DIDD(荷兰漏洞披露研究所)和政府机构 NCSC(国家网络安全中心)和 DTC(数字信任中心)已联手向全球(潜在)受害者通报类似于 Cactus 勒索软件组织的网络攻击。这种合作努力使他们能够与全球受影响的组织联系,分享关键信息,以帮助在可能的情况下防止进一步的损害。

Identifying vulnerable Qlik Sense servers
识别易受攻击的 Qlik Sense 服务器

Expanding on Praetorian’s thorough vulnerability research on the ZeroQlik and DoubleQlik vulnerabilities [4,5], we found a method to identify the version of a Qlik Sense server by retrieving a file called product-info.json from the server. While we acknowledge the existence of Nuclei templates for the vulnerability checks, using the server version allows for a more reliable evaluation of potential vulnerability status, e.g. whether it’s patched or end of support.
在 Praetorian 对 ZeroQlik 和 DoubleQlik 漏洞 [ 4 , 5 ] 的彻底漏洞研究的基础上,我们发现了一种通过检索从服务器调用 product-info.json 的文件来识别 Qlik Sense 服务器版本的方法。虽然我们承认存在用于漏洞检查的 Nuclei 模板,但使用服务器版本可以更可靠地评估潜在的漏洞状态,例如是否已修补或终止支持。

This JSON file contains the release label and version numbers by which we can identify the exact version that this Qlik Sense server is running.
此 JSON 文件包含发布标签和版本号,我们可以通过这些标签和版本号来识别此 Qlik Sense 服务器正在运行的确切版本。

Sifting through the spines: identifying (potential) Cactus ransomware victims

Figure 1: Qlik Sense product-info.json file containing version information
图 1:包含版本信息的 Qlik Sense product-info.json 文件

Keep in mind that although Qlik Sense servers are assigned version numbers, the vendor typically refers to advisories and updates by their release label, such as “February 2022 Patch 3”.
请记住,尽管 Qlik Sense 服务器分配了版本号,但供应商通常通过其发布标签(例如“2022 年 2 月补丁 3”)来引用公告和更新。

The following cURL command can be used to retrieve the product-info.json file from a Qlik server:
以下 cURL 命令可用于从 Qlik 服务器检索 product-info.json 文件:

curl -H "Host: localhost" -vk 'https://<ip>/resources/autogenerated/product-info.json?.ttf'

Note that we specify ?.ttf at the end of the URL to let the Qlik proxy server think that we are requesting a .ttf file, as font files can be accessed unauthenticated. Also, we set the Host header to localhost or else the server will return 400 - Bad Request - Qlik Sense, with the message The http request header is incorrect.
请注意,我们在 URL 末尾指定 ?.ttf ,让 Qlik 代理服务器认为我们正在请求 .ttf 文件,因为字体文件可以在未经身份验证的情况下访问。此外,我们将 Host 标头设置为 localhost 否则服务器将返回 400 - Bad Request - Qlik Sense ,并显示消息 The http request header is incorrect 。

Retrieving this file with the ?.ttf extension trick has been fixed in the patch that addresses CVE-2023-48365 and you will always get a 302 Authenticate at this location response:
使用 ?.ttf 扩展名技巧检索此文件已在解决 CVE-2023-48365 该问题的补丁中修复,您将始终得到 302 Authenticate at this location 响应:

> GET /resources/autogenerated/product-info.json?.ttf HTTP/1.1
> Host: localhost
> Accept: */*
>
< HTTP/1.1 302 Authenticate at this location
< Cache-Control: no-cache, no-store, must-revalidate
< Location: https://localhost/internal_forms_authentication/?targetId=2aa7575d-3234-4980-956c-2c6929c57b71
< Content-Length: 0
<

Nevertheless, this is still a good way to determine the state of a Qlik instance, because if it redirects using 302 Authenticate at this location it is likely that the server is not vulnerable to CVE-2023-48365.
尽管如此,这仍然是确定 Qlik 实例状态的好方法,因为如果它使用 302 Authenticate at this location It 重定向,则服务器可能不容易受到 CVE-2023-48365 .

An example response from a vulnerable server would return the JSON file:
来自易受攻击服务器的示例响应将返回 JSON 文件:

> GET /resources/autogenerated/product-info.json?.ttf HTTP/1.1
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: X-Qlik-Session=893de431-1177-46aa-88c7-b95e28c5f103; Path=/; HttpOnly; SameSite=Lax; Secure
< Cache-Control: public, max-age=3600
< Transfer-Encoding: chunked
< Content-Type: application/json;charset=utf-8
< Expires: Tue, 16 Apr 2024 08:14:56 GMT
< Last-Modified: Fri, 04 Nov 2022 23:28:24 GMT
< Accept-Ranges: bytes
< ETag: 638032013040000000
< Server: Microsoft-HTTPAPI/2.0
< Date: Tue, 16 Apr 2024 07:14:55 GMT
< Age: 136
<
{"composition":{"contentHash":"89c9087978b3f026fb100267523b5204","senseId":"qliksenseserver:14.54.21","releaseLabel":"February 2022 Patch 12","originalClassName":"Composition","deprecatedProductVersion":"4.0.X","productName":"Qlik Sense","version":"14.54.21","copyrightYearRange":"1993-2022","deploymentType":"QlikSenseServer"},
<snipped>

We utilised Censys and Google BigQuery [6] to compile a list of potential Qlik Sense servers accessible on the internet and conducted a version scan against them. Subsequently, we extracted the Qlik release label from the JSON response to assess vulnerability to CVE-2023-48365.
我们利用 Censys 和 Google BigQuery [ 6 ] 编制了可在 Internet 上访问的潜在 Qlik Sense 服务器列表,并对它们进行了版本扫描。随后,我们从 JSON 响应中提取了 Qlik 发布标签,以评估 CVE-2023-48365 .

Our vulnerability assessment for DoubleQlik / CVE-2023-48365 operated on the following criteria:
我们对 DoubleQlik/CVE-2023-48365 的漏洞评估根据以下标准运行:

  1. The release label corresponds to vulnerability statuses outlined in the original ZeroQlik and DoubleQlik vendor advisories [7,8].
    发布标签对应于原始 ZeroQlik 和 DoubleQlik 供应商公告中概述的漏洞状态 [ 7 , 8 ]。
  2. The release label is designated as End of Support (EOS) by the vendor [9], such as “February 2019 Patch 5”.
    版本标签由供应商 [ 9 ] 指定为终止支持 (EOS),例如“2019 年 2 月补丁 5”。

We consider a server non-vulnerable if:
如果出现以下情况,我们认为服务器不容易受到攻击:

  1. The release label date is post-November 2023, as the advisory states that “November 2023” is not affected.
    发布标签日期为 2023 年 11 月之后,因为公告指出“2023 年 11 月”不受影响。
  2. The server responded with HTTP/1.1 302 Authenticate at this location.
    服务器响应 HTTP/1.1 302 Authenticate at this location .

Any other responses were disregarded as invalid Qlik server instances.
任何其他响应都将被视为无效的 Qlik 服务器实例。

As of 17 April 2024, and as stated in the introduction of this blog, we have detected 5205 Qlik Servers on the Internet. Among them, 3143 servers are still at risk of DoubleQlik, indicating that 60% of all Qlik Servers online remain vulnerable.
截至 2024 年 4 月 17 日,如本博客介绍所述,我们已在 Internet 上检测到 5205 个 Qlik 服务器。其中,3143 台服务器仍面临 DoubleQlik 的风险,表明 60% 的在线 Qlik 服务器仍然容易受到攻击。

Sifting through the spines: identifying (potential) Cactus ransomware victims

Figure 2: Qlik Sense patch status for DoubleQlik CVE-2023-48365
图 2:DoubleQlik CVE-2023-48365 的 Qlik Sense 修补程序状态

The majority of vulnerable Qlik servers reside in the United States (396), trailed by Italy (280), Brazil (244), the Netherlands (241), and Germany (175).
大多数易受攻击的 Qlik 服务器位于美国 (396),其次是意大利 (280)、巴西 (244)、荷兰 (241) 和德国 (175)。

Sifting through the spines: identifying (potential) Cactus ransomware victims

Figure 3: Top 20 countries with servers vulnerable to DoubleQlik CVE-2023-48365
图 3:服务器易受 DoubleQlik CVE-2023-48365 攻击的前 20 个国家/地区

Identifying compromised Qlik Sense servers
识别受感染的 Qlik Sense 服务器

Based on insights gathered from the Arctic Wolf blog and our own incident response engagements where the Cactus ransomware was observed, it’s evident that the Cactus ransomware group continues to redirect the output of executed commands to a True Type font file named qle.ttf, likely abbreviated for “qlik exploit”.
根据从 Arctic Wolf 博客收集的见解以及我们自己观察到 Cactus 勒索软件的事件响应活动,很明显,Cactus 勒索软件组织继续将执行命令的输出重定向到名为 qle.ttf 的 True Type 字体文件,可能缩写为“qlik exploit”。

Below are a few examples of executed commands and their output redirection by the Cactus ransomware group:
以下是 Cactus 勒索软件组执行的命令及其输出重定向的几个示例:

whoami /all > ../Client/qmc/fonts/qle.ttf
quser > ../Client/qmc/fonts/qle.ttf

In addition to the qle.ttf file, we have also observed instances where qle.woff was used:
除了 qle.ttf 文件之外,我们还观察到使用以下 qle.woff 实例:

Sifting through the spines: identifying (potential) Cactus ransomware victims

Figure 4: Directory listing with exploitation artefacts left by Cactus ransomware group
图 4:Cactus 勒索软件组织留下的利用工件的目录列表

It’s important to note that these font files are not part of a default Qlik Sense server installation.
请务必注意,这些字体文件不是默认 Qlik Sense 服务器安装的一部分。

We discovered that files with a font file extension such as .ttf and .woff can be accessed without any authentication, regardless of whether the server is patched. This likely explains why the Cactus ransomware group opted to store command output in font files within the fonts directory, which in turn, also serves as a useful indicator of compromise.
我们发现,无论服务器是否修补,都可以在不进行任何身份验证的情况下访问带有 .ttf font 文件扩展名的文件,例如 and .woff 。这可能解释了为什么 Cactus 勒索软件组织选择将命令输出存储在 fonts 目录内的字体文件中,这反过来也可以作为入侵的有用指标。

Our scan for both font files, found a total of 122 servers with the indicator of compromise. The United States ranked highest in exploited servers with 49 online instances carrying the indicator of compromise, followed by Spain (13), Italy (11), the United Kingdom (8), Germany (7), and then Ireland and the Netherlands (6).
我们对这两个字体文件的扫描,总共发现了 122 台带有入侵指标的服务器。美国在被利用的服务器中排名最高,有 49 个带有入侵指标的在线实例,其次是西班牙(13 个)、意大利(11 个)、英国(8 个)、德国(7 个),然后是爱尔兰和荷兰(6 个)。

Sifting through the spines: identifying (potential) Cactus ransomware victims

Figure 5: Top 20 countries with known compromised Qlik Sense servers
图 5:已知 Qlik Sense 服务器遭到入侵的前 20 个国家/地区

Out of the 122 compromised servers, 46 were not vulnerable anymore.
在 122 台受感染的服务器中,有 46 台不再容易受到攻击。

When the indicator of compromise artefact is present on a remote Qlik Sense server, it can imply various scenarios. Firstly, it may suggest that remote code execution was carried out on the server, followed by subsequent patching to address the vulnerability (if the server is not vulnerable anymore). Alternatively, its presence could signify a leftover artefact from a previous security incident or unauthorised access.
当远程 Qlik Sense 服务器上存在入侵工件指示器时,它可能意味着各种情况。首先,它可能表明在服务器上执行了远程代码,然后进行了后续修补以解决漏洞(如果服务器不再容易受到攻击)。或者,它的存在可能意味着先前安全事件或未经授权的访问的遗留人工制品。

While the root cause for the presence of these files is hard to determine from the outside it still is a reliable indicator of compromise.
虽然很难从外部确定这些文件存在的根本原因,但它仍然是入侵的可靠指标。

Responsible disclosure by the DIVD
DIVD负责任的披露

We shared our fingerprints and scan data with the Dutch Institute of Vulnerability Disclosure (DIVD), who then proceeded to issue responsible disclosure notifications to the administrators of the Qlik Sense servers.
我们与荷兰漏洞披露协会 (DIVD) 共享了我们的指纹和扫描数据,然后他们继续向 Qlik Sense 服务器的管理员发出负责任的披露通知。

Call to action 号召性用语

Ensure the security of your Qlik Sense installations by checking your current version. If your software is still supported, apply the latest patches immediately. For systems that are at the end of support, consider upgrading or replacing them to maintain robust security.
通过检查当前版本来确保 Qlik Sense 安装的安全性。如果您的软件仍受支持,请立即应用最新的补丁。对于即将结束支持的系统,请考虑升级或更换它们以保持强大的安全性。

Additionally, to enhance your defences, it’s recommended to avoid exposing these services to the entire internet. Implement IP whitelisting if public access is necessary, or better yet, make them accessible only through secure remote working solutions.
此外,为了增强您的防御能力,建议避免将这些服务暴露在整个互联网上。如果需要公共访问,请实施 IP 白名单,或者更好的是,只能通过安全的远程工作解决方案访问它们。

If you discover you’ve been running a vulnerable version, it’s crucial to contact your (external) security experts for a thorough check-up to confirm that no breaches have occurred. Taking these steps will help safeguard your data and infrastructure from potential threats.
如果您发现自己一直在运行易受攻击的版本,请务必联系您的(外部)安全专家进行彻底检查,以确认没有发生任何违规行为。采取这些步骤将有助于保护您的数据和基础架构免受潜在威胁。

References 引用

  1. https://cyberveilignederland.nl/actueel/persbericht-samenwerkingsverband-melissa-vindt-diverse-nederlandse-slachtoffers-van-ransomwaregroepering-cactus ↩︎
    ↩https://cyberveilignederland.nl/actueel/persbericht-samenwerkingsverband-melissa-vindt-diverse-nederlandse-slachtoffers-van-ransomwaregroepering-cactus ︎
  2. https://www.ncsc.nl/actueel/nieuws/2023/oktober/3/melissa-samenwerkingsverband-ransomwarebestrijding ↩︎
    ↩https://www.ncsc.nl/actueel/nieuws/2023/oktober/3/melissa-samenwerkingsverband-ransomwarebestrijding ︎
  3. https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ ↩︎
    ↩https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ ︎
  4. https://www.praetorian.com/blog/qlik-sense-technical-exploit/ ↩︎
    ↩https://www.praetorian.com/blog/qlik-sense-technical-exploit/ ︎
  5. https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/ ↩︎
    ↩https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/ ︎
  6. https://support.censys.io/hc/en-us/articles/360038759991-Google-BigQuery-Introduction ↩︎
    ↩https://support.censys.io/hc/en-us/articles/360038759991-Google-BigQuery-Introduction ︎
  7. https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801 ↩︎
    ↩https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801 ︎
  8. https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2120325 ↩︎
    ↩https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2120325 ︎
  9. https://community.qlik.com/t5/Product-Lifecycle/Qlik-Sense-Enterprise-on-Windows-Product-Lifecycle/ta-p/1826335 ↩︎
    ↩https://community.qlik.com/t5/Product-Lifecycle/Qlik-Sense-Enterprise-on-Windows-Product-Lifecycle/ta-p/1826335 ︎

原文始发于Willem Zeeman and Yun Zheng Hu:Sifting through the spines: identifying (potential) Cactus ransomware victims

版权声明:admin 发表于 2024年4月27日 下午9:07。
转载请注明:Sifting through the spines: identifying (potential) Cactus ransomware victims | CTF导航

相关文章