Security Researchers have observed hackers linked to the notorious lockbit gang exploiting a pair of Fortinet Firewall Vulnerabilites to Deploy Ransomware
In a report published last weekSecurity Researchers at Forescout Research Said a Group It’s Tracking Dubbed “Mora_001” is exploiting the Fortinet Firewalls, which sit on the edge of a company ‘ Gatekeepers, to break in and deploy a custom ransomware strain they call “Superblack.”
One of the vulnerabilites, tracked as Cve-2024-55591Has been exploated in cyberattacks to Breach the corporate networks of Fortinet customers Since December 2024. Forescout says a second bug, tracked as Cve-2025-24472Is also being exploited by Mora_001 in Attacks. Fortinet Released Patches for Both Bugs in January.
Sai Molige, Senior Manager of Threat Hunting at Forescout, Told Techcrunch That The Cybersecurity Firm has “Investigated Three Events in Different Companies, but we bellyveve
In one confirmed Intrusion, Forescout said it observed the attacker “selectively” encrypting file servers containing sensitive data.
“The encryption was initiated only after data exfiltration, aligning with recent trends among ransomware operators who prioritize data theft over disruption,” SAID MOLIGE.
Forescout Says The Mora_001 Threat Actor “Exhibits a distinct operating Which was last year disrupted by us authoritiesMolige said the superblack ransomware is based on the leaked builder behind the malware used in lockbit 3.0 attacks, while a raansom note used by mora_001 incidences Lockbit.
“This connection would indicate that mora_001 is either a current affiliate with unique operational methods or an associate group sharing communication channels,” Molige Said.
Stefan Hosttler, Head of Threat Intelligence at Cybersecurity Firm Arctic Wolf, which Previously observed exploitation of cve-2024-55591Tells techcrunch that Forescout’s Findings Sugged Hackers are “Going after the Remining Organizations Who WHO WHO WHO WHO WHO WHO Originally disclosed. “
Hostetler say the ransom note used in these attacks bears similars to that of other groups, Such as the Now-Defunct Alphv/Blackcat Ransomware Gang,
Fortinet did not respond to techcrunch’s questions.