Thousands of Qlik Sense Servers Open to Cactus Ransomware

The business intelligence servers contain vulnerabilities that Qlik patched last year, but which Cactus actors have been exploiting since November. Swathes of organizations have not yet been patched.

Nearly five months after security researchers warned of the Cactus ransomware group leveraging a set of three vulnerabilities in Qlik Sense data analytics and business intelligence (BI) platform, many organizations remain dangerously vulnerable to the threat.
Qlik disclosed the vulnerabilities in August and September. The companys August disclosure involved two bugs in multiple versions of Qlik Sense Enterprise for Windows tracked as
CVE-2023-41266 and CVE-2023-41265
. The vulnerabilities, when chained, give a remote, unauthenticated attacker a way to execute arbitrary code on affected systems. In September, Qlik disclosed
CVE-2023-48365,
which turned out to be a bypass of Qliks fix for the previous two flaws from August.
Gartner has ranked Qlik as one of the top data visualization and BI vendors in the market.
Two months later,
Arctic Wolf
reported observing operators of Cactus ransomware exploiting the three vulnerabilities to gain an initial foothold in target environments. At the time, the security vendor said it was responding to multiple instances of customers encountering attacks via the Qlik Sense vulnerabilities and warned of the Cactus group campaign as being rapidly developing.
Even so, many organization appear not to have received the memo. A scan by researchers at Fox-IT on April 17 uncovered a total of 5,205 Internet-accessible Qlik Sense servers, of which
3,143 servers were still vulnerable
to Cactus groups exploits. Of that number, 396 servers appeared to be located in the US. Other countries with a relatively high number of vulnerable Qlik Sense servers include Italy with 280, Brazil with 244 and Netherlands and Germany with 241 and 175 respectively.
Fox-IT is among a group of security organizations in the Netherlands — including the Dutch Institute for Vulnerability Disclosure (DIVD) — working collaboratively under the aegis of an effort called Project Melissa, to disrupt Cactus group operations.
Upon discovering the vulnerable servers, Fox-IT relayed its fingerprints and scan data to DIVD, which then began contacting administrators of the vulnerable Qlik Sense servers about their organizations exposure to potential Cactus ransomware attacks. In some instances, DIVD sent the notifications out directly to potential victims while in others the organization attempted to relay the information to them via their respective country computer emergency response teams.
The ShadowServer Foundation is also reaching out to at-risk organizations. In a
critical alert
this week, the nonprofit threat intelligence service described the situation as one where a failure to remediate could leave organizations at a very high likelihood of compromise.
If you receive an alert from us on a vulnerable instance detected in your network or constituency, please also assume compromise of your instance and possibly your network, ShadowServer said. Compromised instances are determined remotely by checking for the presence of files with .ttf or .woff file extension.
Fox-IT said it had identified at least 122 Qlik Sense instances as likely compromised via the three vulnerabilities. Forty-nine of them were in the US; 13 in Spain; 11 in Italy; and the rest scattered across 17 other countries. When the indicator of compromise artefact is present on a remote Qlik Sense server, it can imply various scenarios, Fox-IT said. It could for instance, suggest that the attackers executed code remotely on the server, or it could simply be an artifact from a previous security incident.
Its crucial to understand that already compromised can mean that either the ransomware has been deployed and the initial access artifacts left behind were not removed, or the system remains compromised and is potentially poised for a future ransomware attack, Fox-IT said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Thousands of Qlik Sense Servers Open to Cactus Ransomware