A new Ransomware operator named ‘Mora_001’ is actively Exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom Ransomware strain known as SuperBlack.
To be specific, the two vulnerabilities, both authentication bypasses, are CVE-2024-55591 and CVE-2025-24472, which Fortinet disclosed in January and February, respectively.
Fortinet first disclosed CVE-2024-55591 on January 14 and confirmed that attackers had already exploited it as a zero-day. Moreover, Arctic Wolf reported that attackers had been using this flaw since November 2024 to breach FortiGate firewalls.
Interestingly, on February 11, Fortinet unexpectedly added CVE-2025-24472 to their January advisory, which confused many and led them to believe attackers had newly exploited the flaw. However, Fortinet assured BleepingComputer that they had fixed this bug in January 2024 and, at that point, attackers had not exploited it.
“We are not aware of CVE-2025-24472 ever being exploited,” Fortinet informed BleepingComputer at the time.
Nevertheless, a new report by Forescout researchers revealed they discovered the SuperBlack attacks in late January 2025, with the threat actor exploiting CVE-2025-24472 as early as February 2, 2025.
“While Forescout itself did not directly report the 24472 exploitation to Fortinet, one of the affected organizations we worked with was sharing findings from our investigation with Fortinet’s PSIRT team,” Forescout told BleepingComputer.
Shortly after, Fortinet updated their advisory on February 11 to acknowledge CVE-2025-24472 as actively Exploited.
BleepingComputer reached out to Fortinet for further Clarification on this matter, but we are still Awaiting a response.
SuperBlack Ransomware attacks
Forescout reports that the Mora_001 Ransomware operator follows a highly structured attack chain that remains consistent across victims.
First, the attacker exploits two Fortinet flaws to gain ‘super_admin’ privileges. They achieve this by performing WebSocket-based attacks through the jsconsole interface or by sending direct HTTPS requests to exposed Firewall interfaces.
Next, the attacker creates new administrator accounts named forticloud-tech, fortigate-firewall, and Adnimistrator. They modify automation tasks to automatically Recreate these accounts if someone removes them, ensuring persistence.
Mora_001’s attack chain overview
Source: Forescout
Following that, the attacker maps the network and attempts lateral movement by utilizing stolen VPN Credentials, newly added VPN accounts, Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication.
Once they have established control, Mora_001 steals data using a custom tool before proceeding to encrypt files. They prioritize targeting file and database servers as well as domain controllers to enhance the effectiveness of their double extortion strategy.
After completing the encryption process, the attacker drops ransom notes on the victim’s system. To complicate forensic analysis, they then deploy a custom-built wiper named ‘WipeBlack’ to erase all traces of the Ransomware executable.
SuperBlack ransom note
Source: Forescout
SuperBlack’s link to LockBit
Forescout has Uncovered extensive evidence suggesting strong connections between the SuperBlack Ransomware operation and LockBit Ransomware, although SuperBlack appears to operate Independently.
The first indication of this link is that the SuperBlack Encryptor on VirusTotal is built using LockBit’s 3.0 leaked builder. It maintains the same payload structure and Encryption methods as LockBit but has all original Branding Stripped away.
Relationship diagram based on the available evidence
Source: Forescout
Additionally, SuperBlack’s ransom note contains a TOX chat ID associated with LockBit operations. This detail implies that Mora_001 could be either a former LockBit Affiliate or an ex-member of its core team responsible for managing ransom payments and negotiations.
Furthermore, the connection is reinforced by extensive IP address overlaps with previous LockBit operations. Moreover, the custom-built wiper WipeBlack has also been used by BrainCipher Ransomware, EstateRansomware, and SenSayQ Ransomware — all of which are linked to LockBit.
Finally, Forescout has provided a comprehensive list of indicators of compromise (IoC) tied to SuperBlack Ransomware attacks at the end of its report.
Source: BleepingComputer, Bill Toulas
