Safety researchers have noticed hackers linked to the infamous LockBit gang exploiting a pair of Fortinet firewall vulnerabilities to deploy ransomware on a number of firm networks.
In a report printed final week, safety researchers at Forescout Analysis mentioned a gaggle it’s monitoring dubbed “Mora_001” is exploiting the Fortinet firewalls, which sit on the sting of an organization’s community and act as digital gatekeepers, to interrupt in and deploy a customized ransomware pressure they name “SuperBlack.”
One of many vulnerabilities, tracked as CVE-2024-55591, has been exploited in cyberattacks to breach the company networks of Fortinet prospects since December 2024. Forescout says a second bug, tracked as CVE-2025-24472, can be being exploited by Mora_001 in assaults. Fortinet launched patches for each bugs in January.
Sai Molige, senior supervisor of menace searching at Forescout, advised TechCrunch that the cybersecurity agency has “investigated three occasions in several corporations, however we consider there may very well be others.”
In a single confirmed intrusion, Forescout mentioned it noticed the attacker “selectively” encrypting file servers containing delicate knowledge.
“The encryption was initiated solely after knowledge exfiltration, aligning with latest tendencies amongst ransomware operators who prioritize knowledge theft over pure disruption,” mentioned Molige.
Forescout says the Mora_001 menace actor “reveals a definite operational signature,” which the agency says has “shut ties” to the LockBit ransomware gang, which was final yr disrupted by U.S. authorities. Molige mentioned the SuperBlack ransomware is predicated on the leaked builder behind the malware utilized in LockBit 3.0 assaults, whereas a ransom word utilized by Mora_001 contains the identical messaging tackle utilized by LockBit.
“This connection may point out that Mora_001 is both a present affiliate with distinctive operational strategies or an affiliate group sharing communication channels,” Molige mentioned.
Stefan Hostetler, head of menace intelligence at cybersecurity agency Arctic Wolf, which beforehand noticed exploitation of CVE-2024-55591, tells TechCrunch that Forescout’s findings recommend hackers are “going after the remaining organizations who had been unable to use the patch or harden their firewall configurations when the vulnerability was initially disclosed.”
Hostetler says the ransom word utilized in these assaults bears similarities to that of different teams, such because the now-defunct ALPHV/BlackCat ransomware gang.
Fortinet didn’t reply to TechCrunch’s questions.
