Mora_001: The Rising Threat Exploiting Fortinet Vulnerabilities for SuperBlack Ransomware

By /

Listen to this Post

A New Wave of Ransomware Attacks

A newly identified ransomware group, Mora_001, has emerged as a significant cybersecurity threat by exploiting two Fortinet vulnerabilities to infiltrate firewall appliances. These vulnerabilities, CVE-2024-55591 and CVE-2025-24472, allow attackers to bypass authentication and gain unauthorized access.

Despite

How the Attack Works

Mora_001 follows a structured attack methodology that begins with privilege escalation and ends with ransomware deployment and data destruction:

  1. Initial Exploitation: Attackers exploit the Fortinet vulnerabilities to gain super_admin privileges via WebSocket-based attacks or direct HTTPS requests to exposed firewall interfaces.
  2. Persistence and Control: They create new administrator accounts (e.g., forticloud-tech, fortigate-firewall, adnimistrator) and automate their recreation if deleted.
  3. Lateral Movement: Using stolen VPN credentials, Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, they expand their control across the network.
  4. Data Exfiltration and Encryption: A custom-built data theft tool is used before encrypting critical files on file servers, database servers, and domain controllers for double extortion.
  5. Covering Tracks: After encryption, a wiper malware, WipeBlack, is deployed to erase forensic evidence, making incident investigation difficult.

SuperBlack’s Connection to LockBit

Forescout’s analysis highlights strong technical overlaps between SuperBlack and LockBit 3.0, including:

– Encryption Methods: SuperBlack uses

  • Communication Links: SuperBlack’s ransom note contains a TOX chat ID linked to previous LockBit operations.
  • IP Address Overlaps: Several IP addresses used in SuperBlack attacks were previously associated with LockBit ransomware.
  • Wiper Malware Similarities: WipeBlack was also used in attacks by BrainCipher, EstateRansomware, and SenSayQ, all connected to LockBit affiliates.

These connections suggest that Mora_001 could be a former LockBit affiliate or a breakaway faction reusing LockBit’s tools for its own operations.

What Undercode Says:

The SuperBlack ransomware campaign highlights critical security failures that companies must address immediately. Let’s break down the key implications and strategic takeaways:

1. Persistent Exploitation of Fortinet Vulnerabilities

Even though Fortinet released patches for CVE-2024-55591 and CVE-2025-24472, these vulnerabilities remain highly exploitable due to slow patch adoption across enterprises. Attackers thrive on unpatched systems, and this case proves how crucial rapid vulnerability management is.

2. Advanced Ransomware Tactics

Mora_001 follows an efficient, repeatable attack chain, leveraging automation and lateral movement techniques to maximize impact. This aligns with a broader ransomware-as-a-service (RaaS) trend, where attackers operate like organized businesses.

3. The LockBit Connection – A Dangerous Evolution

The reuse of

  1. The Threat of Double Extortion & Data Wiping
    SuperBlack not only encrypts data but also steals it before deploying a destructive wiper. This means:

– Victims lose critical data permanently, even if they pay the ransom.
– Attackers can leak or sell stolen data, increasing financial and reputational damage.
– Incident response becomes significantly harder due to the removal of forensic evidence.

5. The Need for a Multi-Layered Defense Strategy

Defending against SuperBlack ransomware requires proactive security measures:

✅ Patch Management: Organizations must deploy Fortinet security updates immediately.
✅ Zero Trust Architecture: Limiting admin privileges and segmenting networks can minimize the blast radius of an attack.
✅ Multi-Factor Authentication (MFA): Prevents unauthorized access through stolen credentials.
✅ Threat Intelligence Monitoring: Companies should actively track indicators of compromise (IoCs) provided by security researchers.
✅ Incident Response Readiness: Having a well-documented playbook for ransomware incidents can reduce downtime and losses.

Fact Checker Results:

✔️ SuperBlack ransomware is real and actively exploiting Fortinet vulnerabilities.
✔️ Fortinet initially denied exploitation of CVE-2025-24472, but later acknowledged it after Forescout’s report.
✔️ Mora_001 has confirmed ties to LockBit, though it operates as a separate group.

SuperBlack represents a serious evolution in ransomware tactics, demonstrating how cybercriminals repurpose old exploits with new attack methodologies. Organizations must act fast to patch vulnerabilities, strengthen network defenses, and stay vigilant against persistent ransomware threats like Mora_001.

References:

Reported By: https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-exploits-fortinet-auth-bypass-flaws/
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp
💬 TelegramFeatured Image

Explore More: