Lessons learned from a chilling encounter with a spider

Written by James Wood

In today’s ever-evolving threat landscape, attackers continue to exploit unpatched vulnerabilities to gain unauthorised access to critical systems. Ekco’s SOC recently detected and responded to a sophisticated intrusion targeting a client. The incident involved a suspected affiliate of the Medusa ransomware group, also known as FROZEN SPIDER, and highlights the importance of proactive defence measures. This blog details the attack’s lifecycle, technical methods used, and actionable recommendations to defend against similar threats.

The Vulnerability: CVE-2023-48788

The incident began with the exploitation of a SQL injection vulnerability (CVE-2023-48788) in FortiClient Enterprise Management Server (EMS). This critical flaw allows attackers to execute arbitrary commands on the underlying operating system. Organisations running unpatched versions of FortiClient EMS are at heightened risk.

Key Details:

• Exploited Feature: xp_cmdshell to enable SYSTEM-level command execution

By leveraging this vulnerability, the adversary gained a foothold and quickly escalated their attack.

 

Attack Progression: A Step-by-Step Breakdown

1. Initial Access & Remote Monitoring Tools

Using the SQL injection exploit, the attacker enabled command execution and launched a PowerShell download cradle to retrieve a malicious script (a.ps1) from a controlled endpoint:

• Malicious URL: hxxps://webhook[.]site/748f3f17-ea01-4be7-b360-e5e6933ec322

The script downloaded and executed WinRTM.exe, a silent installer for SimpleHelp Jwapper, a remote monitoring and management (RMM) tool. RMM tools like SimpleHelp are often abused by adversaries to maintain persistent access without raising alarms.

 

2. Account Creation for Persistence

The adversary leveraged the existing RMM session to:

• Create a local administrator account:
  • Username: adm
  • Password: Password123456
• Add the account to the Local Administrators group via net.exe commands.

This provided the attacker another layer of persistent, privileged access to the system.

 

3. Reconnaissance and Credential Dumping

During the interactive session, the attacker deployed several tools:

• Credential Dumping Tools: PPLmedic.exe, PPLdump.exe, and ServiceFault.exe
• EDR Killer Tool: Terminator (using ServiceTerms.exe and ServiceTerms.sys), which attempts to disable endpoint detection and response (EDR) tools via a Bring Your Own Vulnerable Driver (BYOVD) attack.

The attacker made multiple unsuccessful attempts to dump LSASS process memory to extract credentials, likely aiming to facilitate lateral movement across the environment.

 

Response Actions: Stopping the Adversary in Their Tracks

Ekco SOC detected the malicious activity, took decisive action, and successfully expelled the adversary from the environment. The response included:

• Isolation of the affected server to contain the threat.
• Disabling the unauthorised ‘adm’ account to revoke persistent access.
• Cutting off the attacker’s RMM session, thereby disrupting their ability to carry out further activity.

These actions halted the intrusion and prevented the adversary from escalating their attack or achieving their objectives.

Threat Actor Attribution

Based on the tactics, techniques, and procedures (TTPs) observed, Ekco’s SOC assesses with moderate confidence that the activity was conducted by a suspected affiliate of the Medusa ransomware group (FROZEN SPIDER). This conclusion is supported by:

• Exploitation of CVE-2023-48788 for initial access
• Use of a.ps1 PowerShell scripts hosted on malicious URLs
• Deployment of SimpleHelp RMM tools for persistence
• Creation of privileged local accounts for sustained access
• Attempts to dump LSASS process memory for credential harvesting
• Utilisation of Terminator EDR killer for defence evasion

Medusa ransomware operators and their affiliates are known to employ these methods as part of their campaigns, targeting organisations across multiple industries.

 

Key Lessons and Recommendations

To protect against similar threats, organisations must take proactive steps:

• Patch Management: Apply security updates for FortiClient EMS immediately to address CVE-2023-48788.
• Monitor RMM Tools: Regularly audit and monitor for unauthorised use of RMM tools like SimpleHelp.
• Credential Protection: Implement LSASS memory protections to prevent credential dumping attempts.
• PowerShell Logging and Monitoring: Enable PowerShell script block logging and monitor for suspicious activity.
• Privileged Account Audits: Regularly review and validate user account creations and changes to administrative group memberships.
• Endpoint Security Hardening: Deploy controls to detect and block BYOVD attacks and other attempts to tamper with EDR tools.
• Network Segmentation: Isolate critical servers and implement network segmentation to limit lateral movement.
• Threat Detection and Response: Employ behaviour-based detection tools to identify anomalies such as unusual PowerShell commands, RMM installations, and account creation activities.

 

Conclusion

This incident highlights how unpatched vulnerabilities, like CVE-2023-48788, can provide adversaries with an entry point to launch sophisticated attacks. By leveraging remote access tools, creating privileged accounts, and deploying tools to bypass security controls, attackers can rapidly escalate their activity.

Ekco SOC’s rapid response stopped the adversary in their tracks, isolating the affected server and removing the threat actor’s access before they could achieve their objectives. This case underscores the importance of patching, proactive monitoring, and a swift, coordinated response to contain and mitigate emerging threats.

If you would like to learn more about our SOC and cyber security services get in touch.