FortiGuard Labs is aware of a report that a new Medusa malware variant that is targeting Linux-based devices. The Medusa malware is reportedly based on the infamous Mirai malware and is not only capable of launching Distributed Denial of Service (DDoS) attacks and exfiltrating information from compromised devices, but also encrypting files and deleting all files in the system drives.Why is this Significant?This is significant because Medusa botnet supports ransomware functionality and is capable of encrypting files on compromised Linux devices. It also deletes files on the hard disk 24 hours after file encryption is finished, which bricks the affected devices.What is Medusa Malware?Medusa is a Mirai variant that connects to Command-and-Control (C2) servers, and perform various activities upon receiving commands from C2s. Capabilities include – launching DDoS attacks and exfiltrating information from compromised devices. It can also encrypt files on compromised devices and delete all files in the system drives 24 hours after file encryption is completed, which would make the affected devices unusable.While infection chain of Medusa botnet has not been identified, exploiting vulnerabilities is the likely infection vector since Medusa ransomware is reportedly based on the infamous Mirai malware. Bruteforcing is another potential attack vector as Linux devices often have weak username passwords combination by default and users tend not to change default passwords.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for this attack:Linux/Redis.TSU!trPython/Stealer.DEDC!tr.ransomBAT/Agent.P!tr.dldrFortiGuard Labs has the following IPS signature in place to block download of Medusa malware:Embedded.Linux.Malicious.Script
More Stories
USN-6766-2: Linux kernel vulnerabilities
It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations...
git-2.45.1-1.fc39
FEDORA-2024-4c06645f07 Packages in this update: git-2.45.1-1.fc39 Update description: update to 2.45.1 Read More
git-2.45.1-1.fc40
FEDORA-2024-ecba8476e2 Packages in this update: git-2.45.1-1.fc40 Update description: update to 2.45.1 Read More
ZDI-24-456: NI FlexLogger FLXPROJ File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI FlexLogger. User interaction is required to...
ZDI-24-455: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Access Rights Manager. Although authentication is...
ZDI-24-454: SolarWinds Access Rights Manager Hard-Coded Credentials Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of SolarWinds Access Rights Manager. Authentication is not required...