Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

November 2023

CVE-2023-41265, CVE-2023-41266 & CVE-2023-48365: Multiple Vulnerabilities in Qlik Sense Enterprise Actively Exploited

Arctic Wolf has recently worked multiple incident response cases where we have observed ransomware groups exploiting CVE-2023-41265, CVE-2023-41266 & CVE-2023-48365 to gain initial access. On August 29, 2023, Qlik published a support article detailing two vulnerabilities which when successfully exploited in tandem could lead to an unauthenticated threat actor achieving remote code execution (RCE). CVE-2023-41266.

Qlik Sense Exploited in Cactus Ransomware Campaign

Arctic Wolf Labs has observed a new Cactus ransomware campaign which exploits publicly-exposed installations of Qlik Sense, a cloud analytics and business intelligence platform.[1] Based on available evidence, we assess that all vulnerabilities exploited were previously identified by researchers from Praetorian [2,3]. For more information on these vulnerabilities, see the advisories published by Qlik (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) as well as our Security Bulletin.

CVE-2023-43177: Critical Unauthenticated RCE Vulnerability in CrushFTP

On August 10, 2023, CrushFTP released an advisory regarding a vulnerability affecting versions of CrushFTP lower than 10.5.1. Since then, the vulnerability has been tracked as CVE-2023-43177 and the security researchers at Converge published a blog sharing their findings on November 16. CVE-2023-43177 is a mass assignment vulnerability related to how CrushFTP parses request headers for the AS2 protocol. Successful exploitation could lead to unauthenticated, remote code execution (RCE).

North Korea-Linked Threat Actor, Diamond Sleet, Distributes Modified CyberLink Installer in Supply Chain Compromise

Beginning on at least October 20, 2023, a North Korea-linked threat actor, tracked as Diamond Sleet by Microsoft, leveraged a modified CyberLink installer to compromise victim assets. CyberLink Corp. is a Taiwan-based multimedia software company that develops media editing and recording software.

Business Email Compromise Attacks (BEC) Keep Growing - Here's How to Increase Your BEC Cybersecurity

This spring, Australian authorities were able to arrest a cybercrime syndicate that had conducted BEC attacks on at least 15 individuals and organizations with stolen profits totaling $1.7 million (USD). If those numbers seem shocking, they’re part of a growing upward trend of BEC attacks that shows no sign of slowing down.

7 Ways to Strike Balance Between Technical Debt and Security Posture in The World of Open Source

Software development at the speed of business is a constant balance of tradeoffs, and managing the risk of open-source software is one of the most emerging prominent examples. This is driven home by high-profile supply chain attacks such as the ones on SolarWinds, Log4J, and MoveIt. Each of these examples represents a different type of abuse, including.

The Howler - Episode 3 - Dan Schiappa, Chief Product Officer

In this episode, our hosts sit down with Dan Schiappa, Chief Product Officer at Arctic Wolf. Dan is responsible for driving innovation across product, engineering, alliances, and business development teams to help meet demand for security operations through Arctic Wolf’s growing customer base—especially in the enterprise sector.

The Howler - Episode 1 - Brian NeSmith, Co-Founder and Executive Chairman of Arctic Wolf

In the first Howler podcast episode, our hosts sit down with Brian NeSmith, Co-Founder and Executive Chairman of Arctic Wolf. Brian NeSmith is an internationally recognized business leader, bringing more than 30 years of cybersecurity leadership, including extensive experience driving revenue growth and scaling organizations globally. Before founding Arctic Wolf, he served as CEO of Blue Coat Systems, and prior to Blue Coat, CEO of Ipsilon Networks (acquired by Nokia), which became the leading appliance platform for Check Point firewalls.

The Howler - Episode 2 - Adam Marrè - Chief Information Security Officer

In this episode, our hosts sit down with Adam Marrè, Chief Information Security Officer at Arctic Wolf. Prior to joining Arctic Wolf, Adam was the Global Head of Information Security Operations and Physical Security at Qualtrics. With deep roots in the cybersecurity space, Adam spent almost 12 years with the FBI, holding positions like SWAT Senior Team Leader and Special Agent. In this episode, Adam gives us a peak into the life of a CISO, what keeps him up at night, how he manages stress, and what he believes is foundational to leadership.

CVE-2023-23368 & CVE-2023-23369: Critical Command Injection Vulnerabilities in QNAP Products

On November 4, 2023, QNAP published security advisories for two critical command injection vulnerabilities impacting multiple versions of QNAP operating systems and applications related to the vendor’s network-attached storage (NAS) devices. Both vulnerabilities have been given critical CVSS scores (CVE-2023-23368: 9.8, CVE-2023-23369: 9.0) and both can lead to unauthenticated, remote threat actors executing commands if successfully exploited.

CVE-2023-47246: 0-day Remote Code Execution Vulnerability Actively Exploited in SysAid On-Premises

On November 2, 2023, SysAid was notified by Microsoft of a zero-day path traversal vulnerability allowing for remote code execution, which affects their on-premises ITSM solution. In the investigation conducted by SysAid, it was determined that the vulnerability was being actively exploited by a ransomware affiliate group known as Lace Tempest (DEV-0950), a group known for deploying the CL0P ransomware payload.

CVE-2023-38547 & CVE-2023-38548: Two Critical Vulnerabilities in Veeam ONE

On November 6, 2023, Veeam published security hotfixes for two critical-severity vulnerabilities impacting Veeam ONE. At this time, Arctic Wolf has not identified active exploitation of either vulnerability, nor a published proof of concept (PoC) exploit. Although threat actors have not historically targeted Veeam ONE products, obtaining RCE on the monitoring and analytics platform will likely increase the potential for threat actors to create a working PoC exploit and attempt exploitation.

How to Improve Your Cloud Security with AWS

The cloud offers major benefits to organizations, helping increase business agility, better serve their customers’ needs, and cut their costs. This is why the typical modern business now uses public, infrastructure-as-a-service (IaaS) cloud platforms for its major business and organizational functions. However, the cloud also introduces new risks that can increase your costs should you fall victim to a breach.

CVE-2023-46604: Critical RCE Vulnerability in Apache ActiveMQ

On October 27, 2023, Apache published a security advisory addressing that a critical remote code execution (RCE) vulnerability has been fixed in the latest updates for Apache ActiveMQ products, CVE-2023-46604. This vulnerability was rated with a maximum Common Vulnerability Scoring System (CVSS) score of 10.0, as it can be exploited remotely by an unauthenticated threat actor in low complexity attacks.

Exploitation of CVE-2023-46604 in Apache ActiveMQ Leads to TellYouThePass Ransomware

This article aims to share timely and relevant information about a rapidly developing campaign under investigation. We are publishing it as early as possible for the benefit of the cybersecurity community, and we may provide updates in the near future once more details become available in our research.