New Ransomware Operator Exploits Fortinet Vulnerability Duo

SUMMARY :

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configurations, and uses VPN access for lateral movement. They selectively target file servers for encryption after data theft. The ransomware, named SuperBlack, uses LockBit's infrastructure but removes branding. The actor employs a custom VPN brute-forcing tool and leaves ransom notes linking to LockBit's Tox chat ID. This campaign highlights the increasing trend of exploiting perimeter security appliances and the evolving ransomware landscape.

OPENCTI LABELS :

ransomware,data exfiltration,lateral movement,lockbit,firewall,fortinet,cve-2025-24472,cve-2024-55591,superblack,wipeblack


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New Ransomware Operator Exploits Fortinet Vulnerability Duo