Summary: A new ransomware group named ‘Mora_001’ is leveraging Fortinet vulnerabilities CVE-2024-55591 and CVE-2025-24472 to compromise firewall appliances and deploy their ransomware variant known as SuperBlack. This group utilizes a structured attack strategy, gaining high-level privileges and executing double extortion tactics. There are indications that SuperBlack is connected to LockBit operations through several shared methods and tools.
Affected: Fortinet firewall appliances
Keypoints :
- Mora_001 exploits Fortinet’s vulnerabilities to gain unauthorized access and deploy SuperBlack ransomware.
- The attack process involves gaining ‘super_admin’ privileges, creating administrator accounts, and executing lateral movement within the network.
- Evident connections between SuperBlack and LockBit highlight similarities in encryption methods, ransom negotiation channels, and overlapping IP addresses.