Forescout researchers have identified a new ransomware group, dubbed Mora_001, exploiting two critical vulnerabilities in Fortinet products to gain unauthorized access to firewalls and subsequently deploy a customized encryption tool named SuperBlack.
These two vulnerabilities involve authentication bypasses and have been assigned identifiers CVE-2024-55591 (CVSS score: 9.8) and CVE-2025-24472 (CVSS score: 8.1). Fortinet publicly disclosed these flaws in January 2025. While CVE-2024-55591 was immediately recognized as actively exploited, CVE-2025-24472 initially caused confusion—Fortinet first denied exploitation but later acknowledged that the vulnerability had indeed been leveraged by attackers.
Forescout first observed SuperBlack-related attacks in late January 2025 and confirmed that hackers exploited CVE-2025-24472. Following this discovery, Fortinet updated its security advisory to acknowledge active exploitation.
The SuperBlack attacks unfold systematically. Attackers initially escalate privileges to “super_admin” by conducting WebSocket-based jsconsole attacks or by sending crafted HTTPS requests directly to firewall interfaces. Once they gain access, they scan the network, steal VPN, WMI, SSH, and TACACS+/RADIUS credentials, and move laterally within the targeted infrastructure. Prior to encrypting files, the attackers exfiltrate sensitive data.
After exfiltrating data, the attackers initiate encryption and subsequently deploy the WipeBlack tool, erasing traces of the encryption activity to impede forensic investigations. Primary indicators suggest that the SuperBlack ransomware is closely linked to the LockBit operation:
- The SuperBlack ransomware is based on leaked LockBit 3.0 source code.
- IP addresses previously associated with LockBit campaigns significantly overlap with those observed in Mora_001 attacks.
- WipeBlack has been previously identified in LockBit-related campaigns such as BrainCipher, EstateRansomware, and SenSayQ.
These findings strongly imply a potential connection between Mora_001 and key figures or affiliates formerly involved with LockBit.
