CRITICAL: Vulnerable/Compromised Qlik Sense Special Report

DESCRIPTION LAST UPDATED: 2024-04-28

DEFAULT SEVERITY LEVEL: CRITICAL

This one-time Special Report contains information about currently known vulnerable and/or compromised Qlik Sense appliances.  This is shared by Fox-IT in collaboration with DIVD (thank you!). You can read more details behind the current incidents involving Cactus ransomware and affected device identification methodology in “Sifting through the spines: identifying (potential) Cactus ransomware victims” blog by Fox-IT. Cactus ransomware being used against Qlik instances was first documented by ArticWolf on Nov 28th, 2023 in a blog post titled “Qlik Sense Exploited in Cactus Ransomware Campaign“.

Vulnerabilities exploited by Cactus ransomware may include:

CVE-2023-41265
CVE-2023-41266
CVE-2023-48365

If you receive an alert from us on a vulnerable instance detected in your network or constituency please also assume compromise of your instance and possibly your network.

Compromised instances are determined remotely by checking for the presence of files with .ttf or .woff file extension.

Please note Shadowserver has now added also CVE-2023-48365 scans based on the above collaboration- in our CRITICAL: Vulnerable HTTP Report. You can track vulnerable instances on our Dashboard.

We will also start regularly reporting compromised instances in our CRITICAL: Compromised Website Report starting 2024-04-26. You can track compromised instances on our Dashboard.

This special report has severity level CRITICAL set on all events.  Severity levels are described here.

About Special Reports

Shadowserver Special Reports are unlike all of our other standard free daily network reports.

Instead, we send out Special Reports in situations where we  share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit, such as in cases where we have a critical new vulnerability being exploited against potentially high value targets.

Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different.

Filename: 2024-04-24-special

 

 

Fields

  • timestamp
    Timestamp when the IP address was seen, in UTC+0
  • ip
    IP address of the affected device
  • port
    TCP port identified
  • protocol
    Protocol
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Tag set to qliksense;cve-2023-48365 (for vulnerable versions) or qliksense;injected-code;webshell (for compromised instances)
  • public_source
    Source of the data
  • status
    vulnerable or compromised
  • detail
    Set to Fox-IT blog
  • method
    Path used
  • device_vendor
    Device vendor
  • device_type
    Device type
  • device_model
    Device model
  • device_version
    Device version
  • severity
    set to CRITICAL
  • hostname_source
    Hostname source
  • request_path
    Requested path
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • sense_id
    Qlik Sense version identified
  • release_label
    Release label

Sample

"timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","public_source","status","detail","method","device_vendor","device_type","device_model","device_version","severity","hostname_source","subject_common_name","sense_id","release_label"
"2010-02-10 00:00:00",192.168.0.1,443,tcp,64512,ZZ,Region,City,node01.example.com,0,,qliksense;cve-2023-48365,,vulnerable,https://blog.fox-it.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/,,,,,,critical,ptr,example.com,qliksenseserver:12.44.3,"November 2018 Patch 2"
"2010-02-10 00:00:01",192.168.0.2,443,tcp,64512,ZZ,Region,City,node02.example.com,0,,qliksense;cve-2023-48365,,vulnerable,https://blog.fox-it.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/,,,,,,critical,,example.com,qliksenseserver:14.129.9,"May 2023 Patch 3"
"2010-02-10 00:00:02",192.168.0.3,443,tcp,64512,ZZ,Region,City,node03.example.com,0,"Communications, Service Provider, and Hosting Service",qliksense;cve-2023-48365,,vulnerable,https://blog.fox-it.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/,,,,,,critical,ptr,example.com,qliksenseserver:14.67.27,"May 2022 Patch 15"

Our 131 Report Types

« Back to Network Reporting