In recent months, a new ransomware strain known as “SuperBlack” has emerged, targeting vulnerabilities in Fortinet’s security appliances. This ransomware is linked to a threat actor identified as “Mora_001,” which exhibits operational patterns reminiscent of the notorious LockBit ransomware group.
Exploited Vulnerabilities
Mora_001 has been exploiting two critical vulnerabilities in Fortinet’s products:
-CVE-2024-55591: A remote authentication bypass vulnerability affecting FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. This flaw allows unauthenticated attackers to gain super admin privileges on vulnerable devices.
-CVE-2025-24472: A related high-severity authentication bypass vulnerability in FortiOS and FortiProxy, addressed by Fortinet in January 2025.
Within days of a proof-of-concept exploit release on January 27, 2025, active exploitation of these vulnerabilities was observed.
Attack Methodology
After gaining initial access through the aforementioned vulnerabilities, Mora_001 employs several tactics:
-User Account Creation: The attackers create local system admin accounts with names resembling legitimate users, such as “forticloud-tech” and “fortigate-firewall,” to maintain persistent access.
-Reconnaissance: They utilize FortiGate dashboards to gather intelligence on the compromised environment, identifying potential paths for lateral movement.
-Lateral Movement: The group prioritizes high-value targets like file servers, authentication servers, domain controllers, and database servers to maximize the impact of their operations.
Links to LockBit
Several indicators suggest a connection between SuperBlack and the LockBit ransomware group:
-Ransomware Customization: SuperBlack is based on the leaked LockBit 3.0 builder, with modifications such as the removal of LockBit branding from ransom notes and the use of a custom data exfiltration tool.
-Communication Channels: The ransom note includes a TOX chat ID associated with LockBit operations, indicating possible affiliations or shared infrastructure.
Mitigation Recommendations
Organizations using Fortinet products should take the following steps to protect against SuperBlack ransomware:
-Patch Management: Apply the latest security updates to address CVE-2024-55591 and CVE-2025-24472 vulnerabilities.
-Access Controls: Disable external management access to firewalls and VPNs when possible, and regularly audit admin accounts to detect unauthorized users.
-Monitoring: Enable comprehensive logging and monitor for suspicious automation tasks or unusual account activities.
By implementing these measures, organizations can enhance their defenses against the evolving threat landscape posed by ransomware groups like Mora_001.
