Fortinet Vulnerabilities Exploited in SuperBlack Ransomware Attacks: The Rise of Mora_001

Listen to this Post

In the first quarter of 2025, cybersecurity researchers at Forescout Research – Vedere Labs uncovered a series of ransomware attacks targeting Fortinet vulnerabilities. These attacks, attributed to a threat actor named “Mora_001,” are notable not only for their rapid execution but also for their ties to the notorious LockBit ecosystem. Using advanced tactics, Mora_001 is leveraging Fortinet’s FortiOS and FortiProxy vulnerabilities to deploy a variant of LockBit ransomware known as SuperBlack. This article delves into the details of these attacks, the vulnerabilities exploited, and the unique characteristics of Mora_001’s operations.

the SuperBlack Ransomware Attacks

Between January and March 2025, researchers detected a sophisticated campaign in which the threat actor Mora_001 exploited two major vulnerabilities in Fortinet appliances, namely CVE-2024-55591 and CVE-2025-24472. These vulnerabilities in FortiOS and FortiProxy allow unauthenticated attackers to gain super-admin privileges on exposed management interfaces, giving them full control over vulnerable devices.

The attacks began shortly after a proof-of-concept exploit for FortiOS was publicly released on January 27, 2025. Within just four days, Mora_001 had weaponized these vulnerabilities, creating local admin accounts to facilitate future access. The actor quickly escalated the attack by deploying a modified version of LockBit ransomware, now tracked as SuperBlack, after exfiltrating valuable data from targeted organizations.

Despite using the leaked LockBit builder, Mora_001 removed all LockBit branding from the ransomware, indicating an independent operation. Researchers noted that Mora_001 exhibited several distinguishing characteristics, such as using identical usernames across multiple victims, overlapping IP addresses, and deploying ransomware rapidly, often within 48 hours of gaining access.

Additionally, the ransomware was accompanied by a wiper tool, “WipeBlack,” designed to erase traces of the malware after encryption. WipeBlack shares similarities with tools used in previous LockBit-linked operations and is thought to be a part of a broader ecosystem of ransomware tools.

What Undercode Says:

The emergence of Mora_001 represents an evolving trend in the ransomware landscape. Historically, ransomware groups like LockBit have dominated the threat actor ecosystem, often relying on “ransomware-as-a-service” models to expand their reach. However, the rise of more independent actors, like Mora_001, demonstrates a growing sophistication in how cybercriminals operate.

Mora_001’s use of the Fortinet vulnerabilities is particularly concerning because it highlights a vulnerability that many organizations may have overlooked or underestimated. The fact that these attacks began shortly after a proof-of-concept exploit was released signals how quickly threat actors can adapt and weaponize new vulnerabilities. The rapid deployment of SuperBlack ransomware also speaks to a level of operational maturity, where threat actors can bypass traditional defenses and exploit vulnerabilities with minimal delay.

It’s interesting that Mora_001 is still associated with LockBit, even if only indirectly. The similarities in tactics—like the use of the leaked LockBit builder and the shared TOX ID—suggest that Mora_001 is closely following the playbook of larger, more established ransomware groups. However, by removing LockBit’s branding, it appears that Mora_001 is setting itself apart as an autonomous group, perhaps with its own motives and goals.

Moreover, the deployment of WipeBlack is a clear indication that ransomware operators are becoming more advanced in their post-encryption tactics. The wiper component’s purpose is not just to encrypt data but also to eliminate all traces of the attack, making it even harder for organizations to recover or investigate what happened.

The broader implications of these attacks are clear. They emphasize the need for organizations to keep up with patching and securing their networks, especially in light of newly disclosed vulnerabilities. Even with the best security measures in place, a delayed patch or failure to upgrade vulnerable systems can leave the door wide open for attackers.

What makes Mora_001 particularly alarming is its rapid operational tempo and ability to blend in with established ransomware ecosystems. This convergence of tactics from independent and well-known groups could signify the beginning of a new era in ransomware, where smaller, agile actors can mimic larger organizations’ methods and wreak significant damage on their own.

Fact Checker Results:

  1. The vulnerabilities CVE-2024-55591 and CVE-2025-24472 were indeed exploited by Mora_001, granting attackers super-admin privileges on vulnerable Fortinet appliances.
  2. Mora_001 appears to use the LockBit ransomware builder, although it removes LockBit’s branding and operates independently.
  3. The wiper component, WipeBlack, used in these attacks is linked to previous ransomware campaigns tied to LockBit and other malware families.

References:

Reported By: https://securityaffairs.com/175402/cyber-crime/superblack-ransomware-exploited-fortinet-firewall-flaws.html
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image