TLDR:
- Medusa ransomware group exploits critical Fortinet vulnerability to launch sophisticated attacks
- Group uses SQL injection flaw to gain access to vulnerable systems and deploy ransomware
The notorious Medusa ransomware group has been exploiting a critical vulnerability in Fortinet’s FortiClient EMS software to launch sophisticated ransomware attacks. The SQL injection flaw, tracked as CVE-2023-48788, allows attackers to execute malicious code on vulnerable systems and gain a foothold for deploying ransomware. Medusa targets various sectors such as healthcare, manufacturing, and education and has been quick to capitalize on the Fortinet vulnerability. By sending malicious web requests containing SQL statements, the group manipulates the FCTUID parameter in request headers to execute arbitrary commands via the xp_cmdshell function in Microsoft SQL Server.
After gaining initial access, Medusa creates a webshell on compromised servers for data exfiltration and payload delivery. The group employs tools like bitsadmin to transfer malicious files and establish persistence on victim systems. Medusa’s advanced capabilities in execution and defense evasion are demonstrated through the use of PowerShell scripts to run commands and execute ransomware payloads. The group’s malware, gaze.exe, kills services and loads files referencing Tor links for data exfiltration. Medusa also installs compromised versions of legitimate remote monitoring and management (RMM) tools like ConnectWise and AnyDesk to evade detection.
Organizations can defend against Medusa’s attacks by implementing a multi-layered approach, including robust patch management practices, network segmentation, regular backups, and employee security awareness training. As Medusa continues evolving and refining its techniques, it is crucial for businesses to remain vigilant and proactive in their cybersecurity efforts.