Listen to this Post
In recent months, a significant cyber threat has emerged, exploiting vulnerabilities in Fortinet products. This threat, tied to the notorious LockBit ransomware group, highlights the ongoing battle between cybersecurity experts and malicious actors. Since January 2025, the “Mora_001” group has been using two Fortinet vulnerabilitiesāCVE-2024-55591 and CVE-2025-24472āto deploy the SuperBlack ransomware. This article unpacks the nature of the attacks, the connection to LockBit, and expert recommendations for mitigation.
A New Threat: Mora_001 and its Exploitation of Fortinet Vulnerabilities
Since January 2025, cybersecurity experts have observed an uptick in attacks targeting Fortinet’s FortiOS and FortiProxy systems. These vulnerabilities, tracked as CVE-2024-55591 and CVE-2025-24472, have been exploited by a group identified as “Mora_001.” Researchers at Forescout Research ā Vedere Labs suspect that the group has ties to the infamous LockBit ransomware gang due to shared post-exploitation behaviors, ransomware customization, and the inclusion of the same TOX ID in their ransom note.
Mora_001 is leveraging these vulnerabilities to gain super-administrator access to vulnerable Fortinet products, enabling them to deploy SuperBlack ransomware. The threat actor’s ties to the LockBit ecosystem are evidenced by their methodical operations and tactics, which closely resemble those used by LockBit affiliates. The LockBit group, one of the most notorious and profitable ransomware operations, faced significant setbacks in 2024 due to a series of law enforcement actions, but it remains highly active.
The United States, India, and Brazil are currently the most affected countries, with the highest numbers of exposed FortiGate firewalls. Experts recommend organizations in these regions urgently patch vulnerable systems, limit administrative access, and implement robust logging and monitoring measures to defend against this rapidly growing threat.
What Undercode Says:
The emergence of Mora_001 and its ties to LockBit underscore a significant shift in the tactics of ransomware groups. LockBit’s historical dominance in the ransomware-as-a-service (RaaS) ecosystem has made it one of the most prolific and profitable cybercriminal operations. However, its recent disruptions, including arrests and the seizure of assets, have not slowed its affiliates down. Instead, it appears that new actorsālike Mora_001āare taking advantage of the chaos within the group to exploit similar tactics and tools for their own gain.
Mora_001’s choice to target Fortinet products is strategic, as FortiGate firewalls are widely deployed across various industries and government agencies. The fact that these vulnerabilities have been present since early 2024 suggests that many organizations have been operating with unpatched systems, which makes them prime targets for cybercriminals. Whatās concerning is the sophistication of these attacks. By exploiting the vulnerabilities, attackers gain super-administrator access, which gives them the ability to install ransomware undetected, making it increasingly difficult for organizations to contain the breach.
What sets this attack apart from other ransomware threats is the apparent use of a ransomware strain, SuperBlack, which is being customized to target Fortinet devices specifically. The connection to LockBit’s TOX ID further reinforces the theory that the group is actively behind these operations, or at least playing a significant role in facilitating the attacks.
The advice given by Forescout researchers highlights a key principle of cybersecurity: defense in depth. This layered approach is essential for mitigating the risks posed by sophisticated cyberattacks like those from Mora_001. By segmenting networks, restricting management access, auditing administrator accounts, and enabling comprehensive logging, organizations can significantly reduce their vulnerability to exploitation.
The ongoing evolution of ransomware operations, such as LockBit and its affiliates, suggests that the landscape of cyber threats is only becoming more complex. While law enforcement actions may temporarily disrupt these operations, they are not enough to eradicate them entirely. Cybersecurity experts need to focus on proactive measures, including continuous monitoring, rapid patching, and an ongoing commitment to training employees on the latest cyber threats.
Fact Checker Results:
- Vulnerabilities Verified: The vulnerabilities CVE-2024-55591 and CVE-2025-24472 are real and confirmed within FortiOS and FortiProxy systems.
2. Ransomware Connections:
- Geographical Impact: The US, India, and Brazil have the highest number of exposed FortiGate devices, corroborating the warning from experts.
References:
Reported By: https://www.darkreading.com/cyberattacks-data-breaches/actor-tied-lockbit-ransomware-targets-fortinet-users
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
