A new ransomware operator named 'Mora_001' is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. When Fortinet first disclosed CVE-2024-55591 on January 14, they confirmed it had been exploited as a zero-day, with Arctic Wolf stating it had been used in attacks since November 2024 to breach FortiGate firewalls. However, a new report by Forescout researchers, says they discovered the SuperBlack attacks in late January 2025, with the threat actor utilizing CVE-2025-24472 as early as February 2, 2025. Forescout has shared an extensive list of indicators of compromise (IoC) linked to SuperBlack ransomware attacks at the bottom of its report. First, the attacker gains 'super_admin' privileges by exploiting the two Fortinet flaws using WebSocket-based attacks via the jsconsole interface or sending direct HTTPS requests to exposed firewall interfaces. "While Forescout itself did not directly report the 24472 exploitation to Fortinet, as one of the affected organizations we worked with was sharing findings from our investigation with Fortinet's PSIRT team," Forescout told BleepingComputer. Forescout has found extensive evidence indicating strong links between the SuperBlack ransomware operation and LockBit ransomware, although the former appears to act independently. Secondly, SuperBlack's ransom note includes a TOX chat ID linked to LockBit operations, suggesting that Mora_001 is either a former LockBit affiliate or a former member of its core team managing ransom payments and negotiations. The first element is that the SuperBlack encryptor [VirusTotal] is based on LockBit's 3.0 leaked builder, featuring identical payload structure and encryption methods, but will all original branding striped. The two vulnerabilities, both authentication bypasses, are CVE-2024-55591 and CVE-2025-24472, which Fortinet disclosed in January and February, respectively. Confusingly, on February 11, Fortinet added CVE-2025-2447 to their January advisory, which led many to believe it was a newly exploited flaw. Forescout says the Mora_001 ransomware operator follows a highly structured attack chain that doesn't vary much across victims. However, Fortinet told BleepingComputer that this bug was also fixed in January 2024 and was not exploited. "We are not aware of CVE-2025-24472 ever being exploited," Fortinet told BleepingComputer at the time. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Also, WipeBlack has also been leveraged by BrainCipher ransomware, EstateRansomware, and SenSayQ ransomware, all tied to LockBit.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 13 Mar 2025 20:00:16 +0000