While security experts were busy monitoring known threats, a new ransomware operation called SuperBlack quietly emerged, exploiting critical vulnerabilities in Fortinet devices worldwide. The attacks, attributed to an operator known as Mora_001, target two serious authentication bypass flaws: CVE-2024-55591 and CVE-2025-24472. Yeah, those are a mouthful, but they’re basically skeleton keys to your network.
These vulnerabilities affect FortiOS and FortiProxy devices, with over 48,000 internet-facing systems currently at risk. Attackers aren’t wasting time. They’re gaining super_admin privileges through these flaws, creating backdoor admin accounts, and modifying automation tasks for persistence. Pretty slick move.
Attackers are exploiting Fortinet flaws to gain admin privileges, create backdoors, and set up persistent access. Slick and systematic.
What makes SuperBlack particularly nasty? It’s built on LockBit‘s foundation. The ransomware uses code from the leaked LockBit 3.0 builder, even incorporating a TOX chat ID tied to previous LockBit operations. Not exactly subtle about their inspiration.
The attack pattern is distressingly efficient. First, they map the network and perform lateral movement using stolen credentials. Then comes the double whammy – data theft followed by encryption. Domain controllers, file servers, databases – nothing’s off limits. Post-compromise analysis reveals the threat actors utilize WMIC for discovery and SSH to access additional systems within the compromised environments.
And when they’re done? A custom tool called WipeBlack erases evidence of the ransomware executable. How thoughtful of them.
Forescout researchers discovered these attacks in late January 2025, though exploitation actually began in November 2024. The timeline is alarming. Organizations had precious little warning before attackers started compromising systems at breakneck speed – sometimes within just 48 hours of initial access. Technical intelligence has been crucial in identifying these indicators of compromise before widespread damage occurs.
Fortinet eventually acknowledged both vulnerabilities, recommending upgrades to patched versions immediately. This situation bears striking resemblance to the critical CVE-2024-21762 flaw previously disclosed in FortiOS with a 9.6 CVSS score. But for many victims, it’s already too late. The campaign spans 70+ countries, hitting SMBs and critical infrastructure particularly hard.
The ransomware ecosystem never sleeps. It just rebrands and comes back stronger.
