In 2023, a well-known ransomware group called Medusa surfaced. In contrast to the majority of ransomware operators, Medusa made a name for itself on the surface web in addition to its customary dark web operations.
In 2024, Medusa accelerated the pace of its cyberattacks adding new posts on active ransomware and publicized leaks every several days. Its blog and Telegram channel featured regular updates demonstrating the pace at which it launched attacks and the victim-shaming strategies it employed. Medusa is an opportunistic threat group that does not confine its attacks to victims residing in a particular interest area or geographic region. It is known to target sectors like manufacturing, education, healthcare, finance and government. It updates information about its targets and ransom demands on a blog that it maintains. For stolen data, victims have the option to pay for its removal, or an extended deadline.
It was discovered that the prominent Medusa ransomware group has been launching sophisticated ransomware attacks by exploiting significant flaws in Fortinet’s FortiClient EMS software. The SQL injection vulnerability, identified as CVE-2023-48788, gives hackers the ability to infect vulnerable systems with malicious code and establish a base to deploy ransomware.
Bitdefender said, “Medusa gains access to a target system through a known weakness such as the Fortinet EMS SQL injection vulnerability. CVE-2023-48788 impacts environments that have FortiClient EMS, versions 7.2 to 7.2.2 and 7.0.1 to 7.0.10, installed to manage endpoints”. It also said that the group employs tools like bitsadmin to transfer malicious files and establish persistence on victim systems.
Remediation? Organizations that use an affected instance of FortiClientEMS must upgrade their version at the earliest. Following table lists the CVE-2023-48788 vulnerable FortiClientEMS versions and the upgrades that fix this vulnerability:
| Affected version | Solution |
| FortiClientEMS 7.2. – 7.2.2 | Upgrade to version 7.2.3 or higher |
| FortiClientEMS 7.0.1 – 7.0.10 | Upgrade to version 7.0.11 or higher |
Apart from installing the latest updates, organization using the affected versions should also analyse their event logs, monitor network traffic and keep an eye for any suspicious activity.
