NEWSLETTER
Security researchers have observed the computer pirates linked to the notorious Lockbit gang that exploit a couple of Fortinet Firewall vulnerabilities to implement ransomware in several companies of companies.
In A report published last weekForest Safety Researchers Research said that a group that is tracking called “Mora_001” is exploiting the Fortinet Firewalls, which are on the edge of a company's network and act as digital guardians, to break and implement a personalized ransomware strain that they call “Superblack”.
One of the vulnerabilities, tracked as CVE-2024-55591It has been exploited in cyber attacks to violate the corporate networks of Fortinet since December 2024. Foresout says a second error, tracked as CVE-2025-24472It is also being exploited by Mora_001 in attacks. Fortinet launched patches for both errors in January.
Sai Molige, senior manager of threat hunting in Foresout, told TechCrunch that the cybersecurity firm has “investigated three events in different companies, but we believe there could be others.”
In a confirmed intrusion, Foresout said that he observed the attacker “selectively” the file servers that contained confidential data.
“The encryption began only after the exfiltration of data, aligning with recent trends among ransomware operators that prioritize the theft of data on pure interruption,” Molige said.
Foresout says that the Mora_001 threat actor “exhibits a different operational firm”, which according to the firm has “nearby links” with the Ransomware Lockbit gang, which last year was interrupted by US authorities. Molige said the superblack ransomware is based on the filtering builder behind the malware used in Lockbit 3.0 attacks, while a rescue note used by Mora_001 includes the same messaging address used by Lockbit.
“This connection could indicate that Mora_001 is a current affiliate with unique operational methods or an associated group that shares communication channels,” Molige said.
Stefan Hosteler, Chief of Intelligence of Threats at the Arctic Wolf cybersecurity firm, which Previously observed exploitation of CVE-2024-55591He tells TechCrunch that Foresout's findings suggest that computer pirates “persecute the remaining organizations that they could not apply the patch or harden their Firewall configurations when vulnerability was originally revealed.”
Hostetler says that the rescue note used in these attacks has similarities with that of other groups, such as the now missing Ransomware Alphv/Blackcat gang.
Fortinet did not answer TechCrunch's questions.
(Tagstotranslate) Cybersecurity
