Safety researchers have noticed hackers linked to the infamous LockBit gang exploiting a pair of Fortinet firewall vulnerabilities to deploy ransomware on a number of firm networks.
In a report printed final week, security researchers at Forescout Analysis stated a bunch it’s monitoring dubbed “Mora_001” is exploiting the Fortinet firewalls, which sit on the sting of an organization’s community and act as digital gatekeepers, to interrupt in and deploy a customized ransomware pressure they name “SuperBlack.”
One of many vulnerabilities, tracked as CVE-2024-55591, has been exploited in cyberattacks to breach the company networks of Fortinet clients since December 2024. Forescout says a second bug, tracked as CVE-2025-24472, can also be being exploited by Mora_001 in assaults. Fortinet launched patches for each bugs in January.
Sai Molige, senior supervisor of menace looking at Forescout, advised information.killnetswitch that the cybersecurity agency has “investigated three occasions in several firms, however we consider there could possibly be others.”
In a single confirmed intrusion, Forescout stated it noticed the attacker “selectively” encrypting file servers containing delicate knowledge.
“The encryption was initiated solely after knowledge exfiltration, aligning with current developments amongst ransomware operators who prioritize knowledge theft over pure disruption,” stated Molige.
Forescout says the Mora_001 menace actor “reveals a definite operational signature,” which the agency says has “shut ties” to the LockBit ransomware gang, which was final 12 months disrupted by U.S. authorities. Molige stated the SuperBlack ransomware relies on the leaked builder behind the malware utilized in LockBit 3.0 assaults, whereas a ransom notice utilized by Mora_001 consists of the identical messaging tackle utilized by LockBit.
“This connection might point out that Mora_001 is both a present affiliate with distinctive operational strategies or an affiliate group sharing communication channels,” Molige stated.
Stefan Hostetler, head of menace intelligence at cybersecurity agency Arctic Wolf, which beforehand noticed exploitation of CVE-2024-55591, tells information.killnetswitch that Forescout’s findings recommend hackers are “going after the remaining organizations who had been unable to use the patch or harden their firewall configurations when the vulnerability was initially disclosed.”
Hostetler says the ransom notice utilized in these assaults bears similarities to that of different teams, such because the now-defunct ALPHV/BlackCat ransomware gang.
Fortinet didn’t reply to information.killnetswitch’s questions.
