The notorious Medusa ransomware group has been manipulating an essential exposure in Fortinet’s FortiClient EMS software to establish refined ransomware attacks. The SQL injection flaw tracked as CVE-2023-48788, permits assaulters to execute malicious code on vulnerable systems and gain a foothold for deploying ransomware.
“Medusa accumulates access to a target system via a known defect such as the Fortinet EMS SQL injection vulnerability. CVE-2023-48788 impacts circumstances that have FortiClient EMS, versions 7.2 to 7.2.2 and 7.0.1 to 7.0.10, established to manage endpoints,” Bitdefender said. Medusa understood for targeting a wide spectrum of sectors, including healthcare, manufacturing, and education, has been fast to capitalize on the Fortinet vulnerability.
By transmitting hostile web requests including SQL statements, the group exploits the FCTUID parameter in request headers, allowing them to manage arbitrary commands via the xp_cmdshell function in Microsoft SQL Server. Once initial access is gained, Medusa creates a webshell on the compromised server to enable data exfiltration and payload delivery. Bitdefender said the group uses tools like bitsadmin to transmit negative files and establish persistence on victim systems.
Medusa’s attack chain showcases the group’s advanced capabilities, especially in the places of performance and security evasion. After achieving a foothold, Medusa leverages PowerShell scripts to run management, exfiltrate data, and execute its ransomware payload. The company’s malware, known as gaze.exe, destroys different benefits and loads files referencing Tor connections for data exfiltration. To avoid detection, Medusa establishes compromised versions of legitimate remote monitoring and management (RMM) devices like ConnectWise and AnyDesk. These tampered RMM tools often go overlooked due to their trusted status within the victim’s environment.
Associations can embrace a multi-layered system to protect against Medusa’s ransomware attacks. Executing robust patch control practices is important to promptly address exposures like the Fortinet fault. Network segmentation, regular backups, and employee security awareness training are also critical elements of a complete security technique. As Medusa persists to develop and refine its strategies, it is critical for companies to stay alert and aggressive in their cybersecurity measures.