fortinet vulnerabilities exploited ransomware

Security researchers have uncovered a new and dangerous ransomware threat targeting Fortinet devices worldwide. The ransomware, dubbed “SuperBlack,” exploits two critical vulnerabilities in Fortinet firewalls: CVE-2024-55591 and CVE-2025-24472. These flaws affect FortiOS and FortiProxy versions 7.0.0 through 7.0.16. Pretty scary stuff.

Russian threat actor group Mora_001 is behind the attacks. They’re not amateurs. These guys quickly jumped on the vulnerabilities after a proof-of-concept exploit dropped on January 27, 2025. Talk about efficiency! The first vulnerability was announced as a zero-day in January, with the second added to Fortinet’s advisory by February.

What makes this particularly nasty? The flaws allow unauthenticated attackers to gain super_admin privileges. Game over. Mora_001 creates local admin accounts with names like “forticloud-tech” and “fortigate-firewall.” They’re not exactly being subtle. Researchers have observed that initial login attempts are made with randomly generated usernames typically consisting of five characters. This is a classic example of zero trust architecture being necessary to prevent unauthorized access attempts, regardless of where they originate.

SuperBlack is based on the leaked LockBit 3.0 builder but has its own twist. They’ve added a wiper component called WipeBlack that erases evidence. Clever, right? They even use a TOX ID associated with LockBit. Connect the dots, people.

The group’s attack pattern is consistent. They exploit the WebSocket vulnerability via jsconsole interface, download firewall configuration files, and modify system settings. Then they go after the good stuff – file servers, database servers, domain controllers. Jackpot.

Unlike other ransomware gangs that encrypt everything in sight, Mora_001 is selective. They exfiltrate data first (double extortion, anyone?), then encrypt only high-value targets. The encryption of data forces victims to either restore from backups or pay the ransom demanded by the attackers. They’re in and out within 48 hours if conditions are favorable.

The countries with the highest number of exposed devices? US, India, and Brazil. If you’re running Fortinet gear, you might want to check if you’re vulnerable. The attacks have been ongoing since late January 2025, and honestly, they’re not slowing down.

You May Also Like

Fortinet’s Critical Flaws Now Fueling Nightmarish SuperBlack Ransomware Attacks

FortiOS vulnerabilities spawn nightmarish SuperBlack ransomware that seizes admin control in just 48 hours. Your security measures might already be compromised. Attackers are erasing their tracks.

Ebyte Ransomware: Elevating Encryption Threats Against Vulnerable Windows Users

This open-source ransomware weaponizes ChaCha20 encryption against vulnerable Windows users while masquerading as “educational.” Learn how the Ebyte threat forces victims to pay cryptocurrency or lose everything forever.

Revolutionary Akira Ransomware Decryptor Harnesses GPU Power to Defeat Complex Encryptions

Revolutionary Akira ransomware decryptor smashes crypto barriers using 16 RTX 4090 GPUs. Brute-forcing 1,500 rounds of SHA-256 hashing in just 10 hours, this $1,200 creation exploits timestamp vulnerabilities while cybercriminals scramble to respond.

Elite Bronx Private School Faces Major Crisis After Ransomware Breach Exposes Student Data

Elite Bronx school’s 42GB student data nightmare: RansomHub exposed medical records and contact info of $57,000-a-year students on the dark web. Most schools are dangerously unprepared.