Safety researchers have noticed hackers linked to the infamous LockBit gang exploiting a pair of Fortinet firewall vulnerabilities to deploy ransomware on a number of firm networks.
In a report published last week, safety researchers at Forescout Analysis mentioned a bunch it’s monitoring dubbed “Mora_001” is exploiting the Fortinet firewalls, which sit on the sting of an organization’s community and act as digital gatekeepers, to interrupt in and deploy a customized ransomware pressure they name “SuperBlack.”
One of many vulnerabilities, tracked as CVE-2024-55591, has been exploited in cyberattacks to breach the corporate networks of Fortinet customers since December 2024. Forescout says a second bug, tracked as CVE-2025-24472, can also be being exploited by Mora_001 in assaults. Fortinet launched patches for each bugs in January.
Sai Molige, senior supervisor of risk searching at Forescout, instructed TechCrunch that the cybersecurity agency has “investigated three occasions in numerous corporations, however we imagine there may very well be others.”
In a single confirmed intrusion, Forescout mentioned it noticed the attacker “selectively” encrypting file servers containing delicate knowledge.
“The encryption was initiated solely after knowledge exfiltration, aligning with latest traits amongst ransomware operators who prioritize knowledge theft over pure disruption,” mentioned Molige.
Forescout says the Mora_001 risk actor “displays a definite operational signature,” which the agency says has “shut ties” to the LockBit ransomware gang, which was last year disrupted by U.S. authorities. Molige mentioned the SuperBlack ransomware relies on the leaked builder behind the malware utilized in LockBit 3.0 assaults, whereas a ransom observe utilized by Mora_001 consists of the identical messaging deal with utilized by LockBit.
“This connection might point out that Mora_001 is both a present affiliate with distinctive operational strategies or an affiliate group sharing communication channels,” Molige mentioned.
Stefan Hostetler, head of risk intelligence at cybersecurity agency Arctic Wolf, which previously observed exploitation of CVE-2024-55591, tells TechCrunch that Forescout’s findings recommend hackers are “going after the remaining organizations who had been unable to use the patch or harden their firewall configurations when the vulnerability was initially disclosed.”
Hostetler says the ransom observe utilized in these assaults bears similarities to that of different teams, such as the now-defunct ALPHV/BlackCat ransomware gang.
Fortinet didn’t reply to TechCrunch’s questions.
About The Author
