The attackers consistently created local system administrator accounts with names designed to blend in with legitimate services, including “forticloud-tech,” “fortigate-firewall,” and “adnimistrator” (a deliberate misspelling of “administrator”). In environments with High Availability (HA) configurations, Mora_001 forced synchronization to propagate the compromised configuration to additional firewalls within the same cluster, effectively spreading their backdoor accounts across multiple devices. In environments with VPN capabilities, the threat actor created additional VPN user accounts with names resembling legitimate accounts but with subtle modifications, such as adding a digit at the end (e.g., “xxx1”). The ransomware deployed by Mora_001, designated “SuperBlack” by researchers, closely resembles LockBit 3.0 (also known as LockBit Black) but with specific modifications. The Mora_001 campaign underscores the increasing trend of exploiting perimeter security appliances for initial access, with attackers rapidly weaponizing disclosed vulnerabilities. Researchers identified additional samples on VirusTotal with similar ransom notes, connecting SuperBlack to import hashes previously associated with BlackMatter, LockBit, and BlackMatte ransomware. This evidence suggests Mora_001 is either a current or former LockBit affiliate leveraging their leaked builder or an independent threat actor repurposing LockBit’s infrastructure and tools. Researchers identified 15 additional IP addresses running versions of VPN Brute, with newer variants offering enhanced functionality such as continued brute forcing after successful credential discovery, custom username and password combinations, and honeypot detection capabilities. This IP address hosts a tool identified as “VPN Brute v1.0.2,” a Russian-language utility designed to brute force credentials for various VPN services and edge devices. The attackers accessed the Status, Security, Network, and Users & Devices dashboards to identify potential paths for lateral movement. Mora_001’s operations have been linked to specific infrastructure, including IP address 185.147.124.34, which was observed performing brute force attempts against multiple edge devices. These flaws affect FortiOS versions prior to 7.0.16 and allow unauthenticated attackers to gain super_admin privileges on vulnerable devices with exposed management interfaces. Rather than indiscriminately encrypting entire networks, Mora_001 selectively targeted systems containing sensitive data, focusing first on data exfiltration before initiating encryption. This component has been observed in previous ransomware incidents tied to LockBit and BrainCipher, which in turn has connections to SenSayQ, EstateRansomware, and RebornRansomware. The note retains LockBit’s HTML template structure but removes explicit branding elements, such as the header, that would typically identify it as LockBit ransomware. Between late January and early March 2025, cybersecurity researchers at Forescout’s Vedere Labs uncovered a series of sophisticated intrusions leveraging critical Fortinet vulnerabilities. Mora_001 has demonstrated a systematic approach to compromising networks, beginning with the exploitation of two critical Fortinet vulnerabilities: CVE-2024-55591 and CVE-2025-24472. After encryption is complete, it overwrites the ransomware executable with random data using a 1MB buffer and a decryption key of 0x3105DFDE, effectively erasing evidence of the initial infection. These accounts were then added to VPN user groups, enabling future network access while evading casual administrative review. After gaining initial access, Mora_001 established persistence through several sophisticated mechanisms. Utilizing SSH to access additional servers and network devices. For example, the attackers configured daily scripted automation tasks that would automatically recreate administrator accounts if they were removed. The wiper employs sophisticated anti-forensic techniques, including dynamic resolution of Windows APIs to obstruct static analysis and the use of named pipes for command execution.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 14 Mar 2025 05:40:06 +0000