Security researchers have uncovered a new and dangerous ransomware threat targeting Fortinet devices worldwide. The ransomware, dubbed “SuperBlack,” exploits two critical vulnerabilities in Fortinet firewalls: CVE-2024-55591 and CVE-2025-24472. These flaws affect FortiOS and FortiProxy versions 7.0.0 through 7.0.16. Pretty scary stuff.
Russian threat actor group Mora_001 is behind the attacks. They’re not amateurs. These guys quickly jumped on the vulnerabilities after a proof-of-concept exploit dropped on January 27, 2025. Talk about efficiency! The first vulnerability was announced as a zero-day in January, with the second added to Fortinet’s advisory by February.
What makes this particularly nasty? The flaws allow unauthenticated attackers to gain super_admin privileges. Game over. Mora_001 creates local admin accounts with names like “forticloud-tech” and “fortigate-firewall.” They’re not exactly being subtle. Researchers have observed that initial login attempts are made with randomly generated usernames typically consisting of five characters. This is a classic example of zero trust architecture being necessary to prevent unauthorized access attempts, regardless of where they originate.
SuperBlack is based on the leaked LockBit 3.0 builder but has its own twist. They’ve added a wiper component called WipeBlack that erases evidence. Clever, right? They even use a TOX ID associated with LockBit. Connect the dots, people.
The group’s attack pattern is consistent. They exploit the WebSocket vulnerability via jsconsole interface, download firewall configuration files, and modify system settings. Then they go after the good stuff – file servers, database servers, domain controllers. Jackpot.
Unlike other ransomware gangs that encrypt everything in sight, Mora_001 is selective. They exfiltrate data first (double extortion, anyone?), then encrypt only high-value targets. The encryption of data forces victims to either restore from backups or pay the ransom demanded by the attackers. They’re in and out within 48 hours if conditions are favorable.
The countries with the highest number of exposed devices? US, India, and Brazil. If you’re running Fortinet gear, you might want to check if you’re vulnerable. The attacks have been ongoing since late January 2025, and honestly, they’re not slowing down.
