Between late January and early March 2025, cybersecurity researchers uncovered a series of sophisticated intrusions leveraging critical Fortinet vulnerabilities. The attacks, attributed to a newly identified threat actor tracked as "Mora_001," culminated in the deployment of a custom ransomware strain dubbed "SuperBlack."
Understanding how these attacks unfold can help organizations strengthen their defenses and prevent potential breaches.
Fortinet Vulnerabilities Under Attack
Mora_001 has demonstrated a systematic approach to compromising networks, beginning with the exploitation of two critical Fortinet vulnerabilities: CVE-2024-55591 and CVE-2025-24472. These flaws affect FortiOS versions prior to 7.0.16 and allow unauthenticated attackers to gain super_admin privileges on vulnerable devices with exposed management interfaces.
Exploitation Methods – Threat actors are using:
WebSocket vulnerabilities to spoof administrator access.
Direct HTTPS requests to manipulate authentication mechanisms.
Within hours of a proof-of-concept exploit being publicly released, hackers began launching real-world attacks.
How They Gain Control? Once inside the system, the attackers deploy multiple persistence mechanisms to ensure they maintain access:
Creating Backdoor Admin Accounts – New admin users with names mimicking legitimate system accounts (e.g., "forticloud-tech") are added to bypass detection.
Automated Account Recreation – Even if an admin removes the backdoor accounts, the attackers have scripts in place to automatically recreate them.
Propagation via High Availability (HA) Configurations – In environments using Fortinet's HA feature, Mora_001 forced synchronization to propagate the compromised configuration to additional firewalls within the same cluster, effectively spreading their backdoor accounts across multiple devices.
After securing initial access, attackers move deeper into the network - Mora_001 conducted extensive reconnaissance using the FortiGate dashboards to gather environmental intelligence. The attackers accessed the Status, Security, Network, and Users & Devices dashboards to identify potential paths for lateral movement.
VPN Exploitation – They create stealthy VPN accounts to maintain access.
Windows Management Instrumentation (WMI) & SSH – These tools help attackers navigate and exploit other connected devices.
Targeting High-Value Systems – The attackers prioritized high-value targets, particularly file servers, authentication servers, domain controllers, and database servers. Rather than indiscriminately encrypting entire networks, Mora_001 selectively targeted systems containing sensitive data, focusing first on data exfiltration before initiating encryption.
Before deploying ransomware, the attackers prioritize data exfiltration - stealing sensitive files for future ransom leverage or resale.
The ransomware deployed by Mora_001, designated "SuperBlack" by researchers, closely resembles LockBit 3.0 (also known as LockBit Black) but with specific modifications. The primary differences lie in the ransom note structure and the inclusion of a custom data exfiltration executable. Despite the cosmetic changes, the ransomware maintains strong connections to the LockBit ecosystem. The changes include:
A Custom Data Theft Tool – This ensures attackers extract critical files before locking systems.
A Wiper Module (WipeBlack) – This feature erases traces of the attack, making forensic investigations more challenging.
The exploitation of Fortinet vulnerabilities in SuperBlack ransomware attacks is a wake-up call for organizations relying on security appliances. Proactive patching, strict access controls, and continuous monitoring are critical to mitigating such threats.
By staying ahead of these evolving attack techniques, businesses can prevent breaches before they happen - rather than reacting after damage is done.
Sources: