This article is about New Cybersecurity Warning: Ransomware Actors Tied to Lock Bit

Mora_001, a ransomware group linked to LockBit, is the subject of an upcoming discussion. The group has been actively exploiting major vulnerabilities in Fortinet’s FortiOS and FortiProxy products. These security flaws have allowed attackers to gain unauthorized access to systems, leading to the deployment of a new type of ransomware called SuperBlack. Organizations with exposed FortiGate firewalls have been the targets of these attacks since late January 2025. In response, Fortinet has released patches and is urging users to update their systems immediately

Technical Details

Vulnerabilities Involved

(1)        CVE-2024-55591.     

Fortinet has identified a critical authentication bypass vulnerability in its FortiOS (versions 7.0.0-7.0.16) and FortiProxy (versions 7.0.0-7.0.19 and 7.2.0-7.2.12) products. This flaw allows a remote attacker to achieve super-admin access by exploiting a weakness in the Node.js WebSocket module. The vulnerability can lead to unauthorized code or command execution

(2)        CVE-2025-24472.    

A related high-severity authentication bypass vulnerability, impacting the same product versions, was identified through victim reports during Forescout’s investigations. This issue is fixed by the same patch that also addresses CVE-2024-55591  

Attack Methodology

• Attackers exploited the mentioned vulnerabilities to get unauthorized access with super-admin privileges.
• Attackers created new privileged accounts, using names like forticloud-tech, fortigate-firewall, and administrator.
• For firewalls with VPN capabilities, the attackers created local user accounts that mimicked legitimate users. This was done to maintain persistent access to the compromised systems.
• In their attacks, the threat actors used the high availability (HA) configuration of the firewalls to their advantage. By compromising one device, they could automatically spread their access to other firewalls within the same cluster. This tactic allowed them to compromise additional devices without needing to attack them individually. 
• The group’s final step was to deploy the SuperBlack ransomware. This variant, based on the LockBit 3.0 builder, is designed for double extortion by first stealing data and then encrypting files. It also includes a custom wiper tool to erase traces of the ransomware executable, making it harder to investigate.

Recommendations

All Fortinet administrators/users are urged to update their products as mentioned below:

a.         Upgrade FortiOS to version 7.0.17 or later.

b.         Upgrade FortiProxy to version 7.2.13 or later or 7.0.20.

c.         Remove the firewall’s web-based management interface from public internet exposure.

d.         Regularly review administrative accounts for unauthorized additions or changes.

e.         Monitor for unexpected configuration changes and unauthorized login attempts.

f.          Be vigilant for indicators of compromise, such as unusual automation tasks or unexpected VPN connections.

g.         Implement strict network segmentation to limit lateral movement opportunities for attackers.

h.         Enforce multi-factor authentication (MFA) for all administrative access.

Conclusion

The recent activities of Mora_001 highlight the growing sophistication of ransomware actors tied to LockBit, particularly their ability to exploit critical vulnerabilities in widely used security products. The deployment of SuperBlack ransomware demonstrates the severe risks organizations face when systems remain unpatched or exposed. Timely updates, strict access controls, and proactive monitoring are essential to defend against these evolving threats. Organizations should treat this advisory with urgency, as the combination of double extortion and stealthy persistence techniques makes this campaign especially dangerous. Staying vigilant and applying Fortinet’s recommended patches is the most effective defense against these attacks