The so-called Cactus ransomware group strikes worldwide. However, a Dutch-based collective has this criminal enterprise in sight. ‘Project Melissa,’ a coalition between Fox-IT, Northwave, Responders and several state agencies, among others, has mapped the indicators of compromise (IOCs) to prevent more suffering.
The trio of companies has shared the IOCs amongst one another, meaning all client organizations can address a security breach or active cyber-attack as quickly as possible. The joint analysis was conducted together with security firm ESET’s Dutch arm. Ten Dutch victims were all found to have been compromised in the same way by Cactus. A Qlik Sense server, intended for business intelligence and data visualization, had not been updated in all cases.
Fox-IT subsequently identified thousands of vulnerable servers and shared that information with the Dutch Institute for Vulnerability Disclosure (DIVD), and other Dutch authorities NCSC and the Digital Trust Center (DTC). In addition to victims at a national level, specialists and authorities in other countries were also informed through the DIVD.
Worldwide, 5,205 Qlik Sense servers are accessible via the Internet, of which 3,143 are vulnerable. Since the Cactus group has attacked the same way each time in the Netherlands, these servers seem to be a favoured attack route by the group all over: a total of 122 Qlik servers have been exploited. Presumably this is at the hands of Cactus, the researchers report. Eliminating this threat requires updating these servers.
Negligent update policy
Negligent update policies, in many cases, lead to these kinds of cyber dangers. Unfortunately, this is still a regular occurrence, as was shown in Computest Security research which we covered earlier. That company is also involved in Project Melissa, as are their Dutch colleagues DataExpert, NFIR, Tesorion and Trellix. From the government side, the Public Prosecutor’s Office, the police and the National Cyber Security Center contribute to this collaboration. Deloitte and Kennedy van der Laan are also involved.
The Cactus software has been known since May 2023. This form of ransomware soon distinguishes itself by self-encrypting, making detection and combating it as difficult as possible. French multinational Schneider Electric suffered a major data breach at the hands of Cactus in February, but victims can be found all over the world.
Analysis
Both Fox-IT and Northwave explained in detail how they succeeded in charting Cactus’ path and finding its victims. The former pulled a JSON file from detected servers to identify the version used. This is listed with, for example, “February 2022 Patch 3,” as Fox-IT’s example shows. Through a scanner, the security company was thus able to identify thousands of vulnerable servers. These are most common in the United States, followed by Italy, Brazil and the Netherlands.
Cactus’ modus operandi becomes clearer through Northwave’s analysis. That party highlights a case where an organization’s Qlik Sense instance was exploited on Dec. 3, 2023. An hour later, a remote access tool, ManageEngine UEMS, was deployed. After over a month of radio silence, the Cactus criminals returned on Jan. 17 for lateral movement through the IT network. The attackers then exfiltrated data while masking Remote Desk Protocol (RDP) connections via the command-line connection tool PuTTY Link.
Six days later, the main course arrived: the Cactus ransomware. At that point, the group already had a “large amount of data” in its hands, Northwave concludes. The encryption itself, however, was not problematic, as this company’s customers had a backup ready to go. The revelations will hopefully lead to action for parties that don’t have one. Nevertheless, having data compromised is an obvious security threat, which can be prevented by finding the aforementioned indicators of compromise early on.
Also read: Cactus ransomware spread through BI platform Qlik Sense