Mora_001 Actor Exploiting Fortinet Vulnerabilities For Superblack Deployment

Between late January and early March 2025, Forescout Research – Vedere Labs identified a series of cyber intrusions leveraging two Fortinet vulnerabilities: CVE-2024-55591 and CVE-2025-24472. These vulnerabilities were exploited to gain administrative control over Fortinet firewalls, leading to the deployment of a newly discovered ransomware strain named SuperBlack.

Severity Level: High

Threat Details

1. Threat Actor:

• Mora_001, potentially linked to LockBit, leveraging known ransomware infrastructure and communication channels. The actor demonstrates a high level of customization, modifying LockBit’s leaked ransomware builder to develop SuperBlack, a unique ransomware variant that removes LockBit branding but retains similar functionality.

2. Exploited Vulnerabilities:

• CVE-2024-55591 and CVE-2025-24472 in Fortinet firewalls.

3. Exploitation Methods:

• Direct exploitation via the jsconsole WebSocket vulnerability.
• HTTPS-based exploit targeting FortiOS management interfaces.

4. Post-Exploitation Actions:

• Creation of identical usernames across multiple networks.
• Use of overlapping IP addresses for command-and-control (C2) operations.
• Deployment of ransomware within 48 hours of gaining access.
• Modification of ransom notes to remove LockBit branding.
• Attackers create local system admin accounts to maintain persistent access.
• Firewall configurations are backed up and stolen, exposing network policies, VPN credentials, and security settings.

5. Infrastructure & Tools:

• Custom data exfiltration tools.
• VPN Brute v1.0.2 for brute-forcing perimeter security devices.
• SSH and Windows Management Instrumentation (WMI) for lateral movement.

6. Malware Components:

• SuperBlack (ransomware)
• WipeBlack (wiper malware)

7. Targets & Impact:

• Organizations using Fortinet devices, with highest exposure in U.S., India, & Brazil.

Recommendations

1. Apply FortiOS updates addressing CVE-2024-55591 and CVE-2025-24472 immediately.
2. Disable external management access to firewalls whenever possible.
3. Regularly review all administrator accounts and remove any unauthorized or unexpected users.
4. Review VPN user lists for unauthorized additions, enforce MFA, and block unused VPN accounts.
5. Check for unauthorized scheduled scripts that recreate admin accounts or persist access.
6. Look for newly created admin users such as forticloud-tech, fortigate-firewall, admin_support, adminp0g, admin-vpn-access, admin-vpn-access-work, renewadmin, newadminz, newadminuser, it_manager.
7. Monitor for profile with string super_admin in “Admin login successful” logs or with [super_admin->super_admin]password[*] or [super_admin]vdom[root]password[*] to detect privilege escalation attempts.
8. Monitor for system commends “config system admin” to find scripts added to local firewall that will sync through fortigate’s inbuilt automation process.
9. Block the IOCs at their respective controls.

Source:

• https://www.virustotal.com/gui/collection/82a5401d45188615298e54ef4edb72ae89dcf26a7e1f339e57007789e11f95d1/iocs
• https://dailyinfosec.net/cve-2024-55591-cve-2025-24472-fortinets-double-vulnerability-nightmare/
• https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.