Analysis Summary

A ransomware group, Mora_001, linked to LockBit, has been exploiting two Fortinet vulnerabilities—CVE-2024-55591 and CVE-2025-24472—to deploy a new ransomware strain, SuperBlack. These vulnerabilities allow attackers to bypass authentication in FortiOS and FortiProxy, gaining "super_admin" privileges.

Mora_001 creates privileged accounts with deceptive names and, in VPN-enabled firewalls, generates local user accounts mimicking legitimate users. In non-VPN firewalls, they exploit High Availability (HA) configurations or authentication services like RADIUS to spread their access. Attackers leverage FortiGate dashboards to gather intelligence, conduct lateral movement, and use tools like VPN Brute v1.0.2 for brute-force attacks.

SuperBlack encrypts critical systems, including file servers and domain controllers, using Windows Management Instrumentation (WMIC) and SSH for execution. A custom exfiltration tool is used before encryption, followed by a wiper tool to erase forensic evidence. The ransom note closely resembles LockBit 3.0’s but lacks branding, and a TOX chat ID links it to LockBit, suggesting Mora_001 could be a former affiliate.

Researchers identified links between SuperBlack and other ransomware strains, including BrainCipher, SenSayQ, EstateRansomware, and RebornRansomware. Additionally, a sample of SuperBlack shares an import hash with LockBit and BlackMatter.

With over 31,000 FortiGate instances exposed, immediate patching is critical. Researchers urges users to disable external firewall and VPN management, audit admin accounts, and monitor for suspicious automation scripts to prevent persistence and exploitation.

Impact

• Unauthorized Gain Access
• Lateral Movement
• Data Exfiltration

Indicators of Compromise

SHA1

• 25695d47ae4052b2922ac63fa26c932c66b861be

• ff6333bdda824e4c13bcd13351bd4bb14aaeab11

• 97b148c27f3da29ba7b18d6aee8a0db9102f47c9

Remediation

• Immediately apply the latest Fortinet security patches for CVE-2024-55591 and CVE-2025-24472, and regularly update FortiOS and FortiProxy.
• Disable external management access to FortiGate firewalls and VPNs where possible.
• Enforce multi-factor authentication (MFA) and use strong, unique passwords for all admin accounts.
• Regularly audit and remove unknown or suspicious admin accounts to prevent unauthorized access.
• Monitor for newly created privileged accounts such as "forticloud-tech" or "fortigate-firewall."
• Investigate any local VPN user accounts with minor naming variations.
• Review firewall High Availability (HA) configurations for unauthorized changes and secure firewall synchronization settings.
• Deploy network intrusion detection/prevention systems (NIDS/NIPS) to monitor suspicious authentication bypass attempts.
• Implement endpoint detection and response (EDR) solutions to identify anomalous activity.
• Regularly check for automation scripts or scheduled tasks running on systems, as Mora_001 has been observed using automated scripts to maintain persistence.
• Limit lateral movement by segmenting networks and enforcing the principle of least privilege (PoLP) for user accounts and services.
• Secure remote access by disabling unused services, restricting RADIUS authentication configurations, and ensuring only authorized devices can connect to VPNs.
• Back up critical systems regularly and store backups offline to prevent ransomware encryption.
• Test disaster recovery procedures frequently to ensure quick restoration in case of an attack.
• Utilize security information and event management (SIEM) solutions to analyze logs for indicators of compromise (IoCs) related to SuperBlack ransomware.
• Educate employees about phishing risks, as social engineering tactics may be used alongside these exploits.
• Engage in proactive threat hunting and collaborate with security vendors to identify and mitigate threats before they cause significant damage.