fortinet vulnerabilities exploited ransomware

Security researchers have uncovered a new and dangerous ransomware threat targeting Fortinet devices worldwide. The ransomware, dubbed “SuperBlack,” exploits two critical vulnerabilities in Fortinet firewalls: CVE-2024-55591 and CVE-2025-24472. These flaws affect FortiOS and FortiProxy versions 7.0.0 through 7.0.16. Pretty scary stuff.

Russian threat actor group Mora_001 is behind the attacks. They’re not amateurs. These guys quickly jumped on the vulnerabilities after a proof-of-concept exploit dropped on January 27, 2025. Talk about efficiency! The first vulnerability was announced as a zero-day in January, with the second added to Fortinet’s advisory by February.

What makes this particularly nasty? The flaws allow unauthenticated attackers to gain super_admin privileges. Game over. Mora_001 creates local admin accounts with names like “forticloud-tech” and “fortigate-firewall.” They’re not exactly being subtle. Researchers have observed that initial login attempts are made with randomly generated usernames typically consisting of five characters. This is a classic example of zero trust architecture being necessary to prevent unauthorized access attempts, regardless of where they originate.

SuperBlack is based on the leaked LockBit 3.0 builder but has its own twist. They’ve added a wiper component called WipeBlack that erases evidence. Clever, right? They even use a TOX ID associated with LockBit. Connect the dots, people.

The group’s attack pattern is consistent. They exploit the WebSocket vulnerability via jsconsole interface, download firewall configuration files, and modify system settings. Then they go after the good stuff – file servers, database servers, domain controllers. Jackpot.

Unlike other ransomware gangs that encrypt everything in sight, Mora_001 is selective. They exfiltrate data first (double extortion, anyone?), then encrypt only high-value targets. The encryption of data forces victims to either restore from backups or pay the ransom demanded by the attackers. They’re in and out within 48 hours if conditions are favorable.

The countries with the highest number of exposed devices? US, India, and Brazil. If you’re running Fortinet gear, you might want to check if you’re vulnerable. The attacks have been ongoing since late January 2025, and honestly, they’re not slowing down.

Leave a Reply
You May Also Like

Healthcare Services Crippled as Ransomware Strikes FSM: What You Need to Know

Federated States of Micronesia’s hospitals paralyzed by devastating ransomware attack. Patient appointments canceled while hackers demand millions. Your medical records may already be on the dark web. Lives hang in the balance.

Ebyte Ransomware: Elevating Encryption Threats Against Vulnerable Windows Users

This open-source ransomware weaponizes ChaCha20 encryption against vulnerable Windows users while masquerading as “educational.” Learn how the Ebyte threat forces victims to pay cryptocurrency or lose everything forever.

Tata Technologies Faces Data Crisis After Ransomware Attack – Will They Survive the Aftermath?

Tata Technologies battles devastating 1.4TB data breach as Hunters International threatens to expose 730,000 files. Could this be the final blow for India’s tech giant? Cybersecurity failures have consequences.

Fortinet’s Flawed Security: Ransomware Surge From Two Exploited Vulnerabilities

Fortinet’s fatal security flaws trigger ransomware epidemic across 150,000 vulnerable systems. Security products became secret backdoors for attackers. Your organization might be next.