Listen to this Post
Rising Threat: Qilin Ransomware Exploits Fortinet Flaws
A new wave of cyberattacks has emerged, driven by the notorious Qilin ransomware group, also known as Phantom Mantis. These attackers have added their weight to an already dangerous situation by targeting critical Fortinet vulnerabilities, allowing them to bypass authentication and remotely execute malicious code on unpatched systems. As cybersecurity experts raise the alarm, organizations worldwideâespecially those in Spanish-speaking regionsâface heightened risk from this growing threat.
Expanding Reach and Sophistication
Qilin, previously identified under the alias “Agenda,” first appeared on the radar in August 2022. It operates as a Ransomware-as-a-Service (RaaS), offering its malicious tools to affiliates. With over 310 claimed victims listed on its dark web leak site, Qilin has grown into a powerful and organized threat actor. The groupâs targets have included high-profile entities such as Yangfeng (a leading automotive company), Lee Enterprises (a major publishing house), Australia’s Court Services Victoria, and Synnovisâa pathology service provider that supports major NHS hospitals in London. The latter breach was particularly damaging, causing mass appointment cancellations and operational disruptions across multiple hospitals.
Recently, threat intelligence firm PRODAFT detected a series of Qilin-led attacks exploiting vulnerabilities in Fortinet devices. These include CVE-2024-21762 and CVE-2024-55591âtwo critical flaws that allow unauthenticated remote code execution. Qilin’s attacks are partially automated and show a current concentration on Spanish-speaking countries, although experts predict a global expansion. Their opportunistic targeting does not appear to follow a strict geographic or industry-based pattern, making the threat unpredictable.
Interestingly, CVE-2024-55591 was exploited as a zero-day vulnerability by multiple threat groups as early as November 2024, including those deploying the SuperBlack ransomwareâa strain associated with the LockBit cybercrime gang. The other exploited flaw, CVE-2024-21762, was officially patched in February 2025, but by March, approximately 150,000 devices were still exposed, according to the Shadowserver Foundation.
Fortinet vulnerabilities are becoming a prime attack vector in cyber espionage and ransomware campaigns. In February, Chinese state-sponsored group Volt Typhoon exploited two older FortiOS flaws (CVE-2022-42475 and CVE-2023-27997) to deploy a backdoor malware named Coathanger in the Dutch Ministry of Defenceâs military network.
These developments underscore the urgency for automated patch management, as outdated manual patching methods continue to leave organizations vulnerable. Cybersecurity experts are increasingly urging businesses to move toward automated, scalable patching solutions to stay ahead of fast-evolving threats like Qilin.
What Undercode Say:
The Qilin ransomware campaign marks a notable escalation in the use of Fortinet vulnerabilities for high-impact cyberattacks. This group is not operating in isolationâitâs part of a growing trend of ransomware operators who exploit known security flaws even after public patches are issued. The continued exploitation of vulnerabilities like CVE-2024-21762 and CVE-2024-55591 demonstrates the significant lag in organizational response to patch advisories. Despite warnings from CISA and rapid patch releases by Fortinet, a vast number of systems remain exposed, revealing a concerning pattern in cybersecurity behavior across industries.
Qilinâs choice to prioritize Spanish-speaking regions is strategic. While it may seem regional, this pattern points to broader opportunistic behavior. Their targets include vital sectorsâhealthcare, judiciary, publishing, and automotiveâshowing that the groupâs goal is maximum disruption and leverage for ransom. The Synnovis breach is particularly alarming because it affected the healthcare infrastructure in the UK, highlighting how ransomware attacks are now capable of endangering human lives through operational paralysis.
The growing reliance on Fortinet devices makes them attractive targets. These firewalls and VPNs are ubiquitous across corporate networks, making any vulnerability an open door for advanced persistent threats. The fact that multiple threat actorsâincluding Mora_001 and Volt Typhoonâare leveraging the same flaws underscores the systemic risk posed by slow patch adoption. Once a vulnerability becomes public knowledge, it often enters the playbooks of dozens of cybercrime syndicates almost overnight.
Moreover, the RaaS model that Qilin operates under makes it easy for lesser-skilled criminals to launch sophisticated attacks. The automation observed in these campaigns increases both scale and efficiency, allowing affiliates to attack multiple targets rapidly with minimal effort. This democratization of cybercrime is accelerating the ransomware crisis.
Whatâs deeply concerning is that these attackers are not only exploiting technical vulnerabilities but also organizational onesânamely, poor cyber hygiene and inadequate response protocols. It reflects a mismatch between the speed at which cyber threats evolve and the pace at which organizations adapt. The move away from manual patching toward automated, real-time solutions is no longer optionalâitâs a necessity for survival in this landscape.
Additionally, Fortinetâs historical issues with zero-day vulnerabilities point to a need for deeper internal auditing and faster disclosure processes. Vendors must also play their part in making patches accessible and easy to deploy, especially in complex environments. Meanwhile, governments and regulatory agencies need to enforce stricter compliance timelines to ensure that critical infrastructure doesnât remain exposed for months after a vulnerability is discovered.
Ultimately, the Qilin case highlights a disturbing convergence of organized cybercrime, outdated defense practices, and systemic vulnerability in enterprise cybersecurity. The era of passive patch management is over. Organizations that fail to adapt will continue to serve as easy prey for increasingly sophisticated ransomware operations.
Fact Checker Results â
âď¸ Qilin is confirmed to be exploiting Fortinet vulnerabilities
âď¸ CVE-2024-21762 and CVE-2024-55591 are active attack vectors
âď¸ Spanish-speaking regions are currently prioritized but global spread is expected đ
Prediction đŽ
Qilin will likely expand its campaign beyond Spanish-speaking nations, targeting unpatched Fortinet devices globally throughout the second half of 2025. As more affiliates adopt its automated RaaS tools, expect a sharp rise in healthcare and government sector breaches. Organizations delaying their patch management strategies risk becoming the next major headline victim. đ¨
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
