{
	"id": "bb886c04-045e-4ea1-b4df-7537898f7041",
	"created_at": "2026-04-06T00:16:44.537433Z",
	"updated_at": "2026-04-10T03:31:44.973226Z",
	"deleted_at": null,
	"sha1_hash": "ed0aafefb0968c121b042b37fd16c8a2eae16e02",
	"title": "SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1113587,
	"plain_text": "SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to\r\nDeploy Ransomware\r\nBy Kaaviya\r\nPublished: 2025-03-14 · Archived: 2026-04-05 13:03:39 UTC\r\nBetween late January and early March 2025, cybersecurity researchers at Forescout’s Vedere Labs uncovered a\r\nseries of sophisticated intrusions leveraging critical Fortinet vulnerabilities.\r\nThe attacks, attributed to a newly identified threat actor tracked as “Mora_001,” culminated in the deployment of\r\na custom ransomware strain dubbed “SuperBlack.”\r\nMora_001 has demonstrated a systematic approach to compromising networks, beginning with the exploitation of\r\ntwo critical Fortinet vulnerabilities: CVE-2024-55591 and CVE-2025-24472.\r\nThese flaws affect FortiOS versions prior to 7.0.16 and allow unauthenticated attackers to gain super_admin\r\nprivileges on vulnerable devices with exposed management interfaces.\r\nResearchers observed two distinct exploitation methods in the wild, beginning just 96 hours after the public\r\nrelease of a proof-of-concept exploit on January 27, 2025.\r\nThe first method utilized the jsconsole interface, exploiting the WebSocket vulnerability with spoofed IP addresses\r\n(often 127.0.0.1, 8.8.8.8, or other recognizable addresses).\r\nhttps://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/\r\nPage 1 of 5\n\nThe second method employed direct HTTPS requests targeting the same underlying vulnerability.\r\nPersistence Techniques\r\nAfter gaining initial access, Mora_001 established persistence through several sophisticated mechanisms.\r\nThe attackers consistently created local system administrator accounts with names designed to blend in with\r\nlegitimate services, including “forticloud-tech,” “fortigate-firewall,” and “adnimistrator” (a deliberate misspelling\r\nof “administrator”).\r\nA particularly insidious technique involved creating automated tasks to ensure persistence even after remediation\r\nattempts.\r\nAttack Chain \u0026 methods\r\nFor example, the attackers configured daily scripted automation tasks that would automatically recreate\r\nadministrator accounts if they were removed.\r\nhttps://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/\r\nPage 2 of 5\n\nOne such script included the command to recreate a “forticloud-sync” user with super_admin privileges and a\r\npredetermined password.\r\nIn environments with High Availability (HA) configurations, Mora_001 forced synchronization to propagate the\r\ncompromised configuration to additional firewalls within the same cluster, effectively spreading their backdoor\r\naccounts across multiple devices.\r\nAfter establishing persistence, Mora_001 conducted extensive reconnaissance using the FortiGate dashboards to\r\ngather environmental intelligence.\r\nThe attackers accessed the Status, Security, Network, and Users \u0026 Devices dashboards to identify potential paths\r\nfor lateral movement.\r\nIn environments with VPN capabilities, the threat actor created additional VPN user accounts with names\r\nresembling legitimate accounts but with subtle modifications, such as adding a digit at the end (e.g., “xxx1”).\r\nThese accounts were then added to VPN user groups, enabling future network access while evading casual\r\nadministrative review.\r\nNetwork Traversal Methods\r\nFor lateral movement, Mora_001 leveraged multiple techniques:\r\n1. Using stolen VPN credentials to access internal networks.\r\n2. Exploiting High Availability (HA) configuration propagation to compromise additional firewalls.\r\n3. Abusing authentication infrastructure via TACACS+ or RADIUS when configured to synchronize with Active\r\nDirectory.\r\n4. Employing Windows Management Instrumentation (WMIC) for remote system discovery and execution.\r\n5. Utilizing SSH to access additional servers and network devices.\r\nThe attackers prioritized high-value targets, particularly file servers, authentication servers, domain controllers,\r\nand database servers.\r\nRather than indiscriminately encrypting entire networks, Mora_001 selectively targeted systems containing\r\nsensitive data, focusing first on data exfiltration before initiating encryption.\r\nThe ransomware deployed by Mora_001, designated “SuperBlack” by researchers, closely resembles LockBit 3.0\r\n(also known as LockBit Black) but with specific modifications.\r\nThe primary differences lie in the ransom note structure and the inclusion of a custom data exfiltration executable.\r\nDespite the cosmetic changes, the ransomware maintains strong connections to the LockBit ecosystem.\r\nThe ransom note includes a Tox chat ID\r\n(DED25DCB2AAAF65A05BEA584A0D1BB1D55DD2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815)\r\nthat has been previously linked to LockBit 3.0 operations.\r\nhttps://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/\r\nPage 3 of 5\n\nThe note retains LockBit’s HTML template structure but removes explicit branding elements, such as the header,\r\nthat would typically identify it as LockBit ransomware.\r\nResearchers identified additional samples on VirusTotal with similar ransom notes, connecting SuperBlack to\r\nimport hashes previously associated with BlackMatter, LockBit, and BlackMatte ransomware.\r\nThis evidence suggests Mora_001 is either a current or former LockBit affiliate leveraging their leaked builder or\r\nan independent threat actor repurposing LockBit’s infrastructure and tools.\r\nInfrastructure \u0026 Patterns\r\nThe primary SuperBlack executable handles the encryption process and downloads additional components,\r\nincluding a wiper module designated “WipeBlack.”\r\nThis component has been observed in previous ransomware incidents tied to LockBit and BrainCipher, which in\r\nturn has connections to SenSayQ, EstateRansomware, and RebornRansomware.\r\nThe wiper employs sophisticated anti-forensic techniques, including dynamic resolution of Windows APIs to\r\nobstruct static analysis and the use of named pipes for command execution.\r\nAfter encryption is complete, it overwrites the ransomware executable with random data using a 1MB buffer and a\r\ndecryption key of 0x3105DFDE, effectively erasing evidence of the initial infection.\r\nMora_001’s operations have been linked to specific infrastructure, including IP address 185.147.124.34, which\r\nwas observed performing brute force attempts against multiple edge devices.\r\nThis IP address hosts a tool identified as “VPN Brute v1.0.2,” a Russian-language utility designed to brute force\r\ncredentials for various VPN services and edge devices.\r\nThe VPN Brute tool targets multiple platforms, including:\r\nRemote Desktop Web Access (RDWeb)\r\nPulseSecure (referred to as “Dana” in the tool)\r\nOutlook Web Access (OWA)\r\nPalo Alto Networks GlobalProtect\r\nFortinet\r\nCisco\r\nF5 Networks BIG-IP\r\nCitrix\r\nResearchers identified 15 additional IP addresses running versions of VPN Brute, with newer variants offering\r\nenhanced functionality such as continued brute forcing after successful credential discovery, custom username and\r\npassword combinations, and honeypot detection capabilities.\r\nThe Mora_001 campaign underscores the increasing trend of exploiting perimeter security appliances for initial\r\naccess, with attackers rapidly weaponizing disclosed vulnerabilities.\r\nhttps://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/\r\nPage 4 of 5\n\nAs of the report’s writing, the United States (7,677), India (5,536), and Brazil (3,201) host the highest numbers of\r\nexposed FortiGate firewalls, making them particularly vulnerable to these attacks.\r\nMitigations\r\nTo protect against Mora_001 and similar threats, organizations should implement the following measures:\r\n1. Patch vulnerable systems immediately by applying FortiOS updates addressing CVE-2024-55591 and CVE-2025-24472.\r\n2. Restrict management access by disabling external management interfaces whenever possible.\r\n3. Conduct regular audits of administrator accounts to identify and remove unauthorized users.\r\n4. Examine automation settings for suspicious tasks, particularly those scheduled to run daily or during off-hours.\r\n5. Review VPN users and groups for slight variations of legitimate usernames or recently created accounts.\r\n6. Enable comprehensive logging, including CLI audit logs, HTTP/S traffic logs, Network Policy Server auditing,\r\nand authentication system auditing.\r\nThe Mora_001 campaign represents a sophisticated evolution in the ransomware landscape, blending\r\nopportunistic exploitation with targeted data theft and selective encryption.\r\nWhile maintaining operational connections to established ransomware ecosystems like LockBit, Mora_001 has\r\ndeveloped distinct tactics and tools that set it apart as a unique threat actor.\r\nOrganizations with Fortinet deployments should prioritize patching vulnerable devices and implementing the\r\nrecommended mitigations to protect against this emerging threat.\r\nThe rapid exploitation of newly disclosed vulnerabilities highlights the critical importance of timely security\r\nupdates and comprehensive network monitoring to detect and respond to sophisticated attacks before they can\r\nachieve their objectives.\r\nAre you from SOC/DFIR Teams? – Analyse Malware Incidents \u0026 get live Access with ANY.RUN -\u003eStart Now\r\nfor Free.  \r\nSource: https://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/\r\nhttps://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/"
	],
	"report_names": [
		"superblack-actors-exploiting-two-fortinet-vulnerabilities"
	],
	"threat_actors": [
		{
			"id": "353d3a83-ce02-44a2-a663-dafdbbb617a0",
			"created_at": "2025-03-21T02:00:03.842688Z",
			"updated_at": "2026-04-10T02:00:03.83742Z",
			"deleted_at": null,
			"main_name": "Mora_001",
			"aliases": [],
			"source_name": "MISPGALAXY:Mora_001",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434604,
	"ts_updated_at": 1775791904,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed0aafefb0968c121b042b37fd16c8a2eae16e02.pdf",
		"text": "https://archive.orkl.eu/ed0aafefb0968c121b042b37fd16c8a2eae16e02.txt",
		"img": "https://archive.orkl.eu/ed0aafefb0968c121b042b37fd16c8a2eae16e02.jpg"
	}
}