From d12214218e06d94a9137317a88c2bcad49d80a5a Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Thu, 16 May 2024 15:28:00 +0200 Subject: [PATCH 1/4] Adding QlikSense and UEMS target files Seen in recent Cactus Ransomware attacks --- Targets/Apps/QlikSense.tkape | 46 ++++++++++++++++++++++++++++++++++++ Targets/Apps/UEMS.tkape | 29 +++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 Targets/Apps/QlikSense.tkape create mode 100644 Targets/Apps/UEMS.tkape diff --git a/Targets/Apps/QlikSense.tkape b/Targets/Apps/QlikSense.tkape new file mode 100644 index 000000000..62ff5de96 --- /dev/null +++ b/Targets/Apps/QlikSense.tkape @@ -0,0 +1,46 @@ +Description: Qlik Sense +Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND +Version: 1.0 +Id: 6e979be3-4913-4d16-a508-cc3284194c2b +RecreateDirectories: true +Targets: + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Proxy + Recursive: true + FileMask: '*.txt' + Comment: "Collects the proxy logs for Qlik Sense" + + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Proxy + Recursive: true + FileMask: '*.log' + Comment: "Collects the proxy logs for Qlik Sense" + + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Scheduler + Recursive: true + FileMask: '*.txt' + Comment: "Collects the scheduler logs for Qlik Sense" + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Scheduler + Recursive: true + FileMask: '*.log' + Comment: "Collects the scheduler logs for Qlik Sense" + +# Documentation +# Qlik Sense is a powerful business intelligence solution that enables users to visualize and analyze complex data. +# We have seen three vulnerabilites (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) exploited on exposed qlik solution in recent Cactus Ransomware Campain : +# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ +# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ +# https://www.shadowserver.org/what-we-do/network-reporting/critical-vulnerable-compromised-qlik-sense-special-report/ +# You can find details on the full exploit here : +# https://www.praetorian.com/blog/qlik-sense-technical-exploit/ +# https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/ diff --git a/Targets/Apps/UEMS.tkape b/Targets/Apps/UEMS.tkape new file mode 100644 index 000000000..e4a568efc --- /dev/null +++ b/Targets/Apps/UEMS.tkape @@ -0,0 +1,29 @@ +Description: UEMS Manage Engine Agent +Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND +Version: 1.0 +Id: 3ff43bb0-ac44-4374-ac4e-dbe104d81b60 +RecreateDirectories: true +Targets: + - + Name: Unified endpoint management and security solutions from ManageEngine + Category: RMM Tool + Path: C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs + Recursive: true + FileMask: '*.log' + Comment: "Collects all logs for UEMS" + + - + Name: Unified endpoint management and security solutions from ManageEngine + Category: RMM Tool + Path: C:\Users\%user%\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs + Recursive: true + FileMask: '*.log' + Comment: "Collects Users logs for UEMS" + +# Documentation +# https://www.manageengine.com/unified-endpoint-management-security.html +# UEMS Manage Engine Agent is a remote acces tool part of the ManageEngine suite. +# We have observed this tool being deployed in recent Cactus ransomware Campaign : +# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ +# https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/ +# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ From 6b2a77772b93af2f997a5f9598c2fe1e65f37411 Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Thu, 16 May 2024 15:29:14 +0200 Subject: [PATCH 2/4] Update RemoteAdmin.tkape --- Targets/Compound/RemoteAdmin.tkape | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Targets/Compound/RemoteAdmin.tkape b/Targets/Compound/RemoteAdmin.tkape index c8939bfc0..1a71fbfbe 100644 --- a/Targets/Compound/RemoteAdmin.tkape +++ b/Targets/Compound/RemoteAdmin.tkape @@ -89,6 +89,10 @@ Targets: Name: TeamViewer Category: ApplicationLogs Path: TeamViewerLogs.tkape + - + Name: UEMS + Category: ApplicationLogs + Path: UEMS.tkape - Name: UltraViewer Category: ApplicationLogs From 677385f667a4cb74c5f3b294f7728c6afd1917c0 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 16 May 2024 10:28:56 -0400 Subject: [PATCH 3/4] Update QlikSense.tkape fix spelling, remove trailing spaces --- Targets/Apps/QlikSense.tkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Targets/Apps/QlikSense.tkape b/Targets/Apps/QlikSense.tkape index 62ff5de96..b233eb1be 100644 --- a/Targets/Apps/QlikSense.tkape +++ b/Targets/Apps/QlikSense.tkape @@ -37,10 +37,10 @@ Targets: # Documentation # Qlik Sense is a powerful business intelligence solution that enables users to visualize and analyze complex data. -# We have seen three vulnerabilites (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) exploited on exposed qlik solution in recent Cactus Ransomware Campain : +# We have seen three vulnerabilities (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) exploited on exposed Qlik solution in a recent Cactus Ransomware Campaign: # https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ # https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ # https://www.shadowserver.org/what-we-do/network-reporting/critical-vulnerable-compromised-qlik-sense-special-report/ -# You can find details on the full exploit here : +# You can find details on the full exploit here: # https://www.praetorian.com/blog/qlik-sense-technical-exploit/ # https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/ From d7cb1913e6cfc82c364300909f3d1e150ba5c2f8 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 16 May 2024 10:31:05 -0400 Subject: [PATCH 4/4] Update UEMS.tkape remove trailing spaces --- Targets/Apps/UEMS.tkape | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Targets/Apps/UEMS.tkape b/Targets/Apps/UEMS.tkape index e4a568efc..1b80c2b8c 100644 --- a/Targets/Apps/UEMS.tkape +++ b/Targets/Apps/UEMS.tkape @@ -18,12 +18,12 @@ Targets: Path: C:\Users\%user%\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs Recursive: true FileMask: '*.log' - Comment: "Collects Users logs for UEMS" + Comment: "Collects User logs for UEMS" # Documentation # https://www.manageengine.com/unified-endpoint-management-security.html -# UEMS Manage Engine Agent is a remote acces tool part of the ManageEngine suite. -# We have observed this tool being deployed in recent Cactus ransomware Campaign : +# UEMS Manage Engine Agent is a remote access tool in the ManageEngine suite. +# We have observed this tool being deployed in a recent Cactus ransomware Campaign: # https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ # https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/ # https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/