A Russian threat actor has been exploiting two Fortinet firewall vulnerabilities in attacks leading to ransomware deployments, cybersecurity firm Forescout warns.
The hacking group, tracked as Mora_001, apparently adopted a leaked LockBit builder to create its own file-encrypting ransomware variant that Forescout has dubbed SuperBlack.
Mora_001, the cybersecurity firm says, has ties to established ransomware gangs, based on its post-exploitation patterns, the use of the leaked builder, and the use of the same ID as LockBit for the peer-to-peer communication service Tox.
“The post-exploitation patterns observed enabled us to define a unique operational signature that sets Mora_001 apart from other ransomware operators, including LockBit affiliates. This consistent operational framework suggests a distinct threat actor with a structured playbook,” Forescout notes.
The threat actor has been observed exploiting CVE-2024-55591 and CVE-2025-24472, two vulnerabilities in FortiOS and FortiProxy that allow attackers to elevate their privileges to super-admin on a vulnerable Fortinet appliance.
Fortinet announced patches for CVE-2024-55591 in January, warning of its in-the-wild exploitation as a zero-day. On February 11, the company updated its advisory to add CVE-2025-24472, which covers an additional attack vector.
Within four days after a proof-of-concept (PoC) exploit targeting vulnerable FortiOS devices was published on January 27, Forescout observed Mora_001 employing it in attacks to create at least one local system admin user account.
“In some cases, instead of relying on a single administrative account for all actions, the threat actor employed a chaining method, where each newly created administrative account was used to generate additional accounts,” Forescout explains.
Following the local administrator account creation, the attackers downloaded the firewall configuration file, which contains critical information, modified system settings, and created a scripted automation task to recreate the super admin user if it was deleted.
The threat actor was also seen creating local VPN user accounts, attempting to log in to other firewalls, and abusing the built-in FortiGate dashboards for reconnaissance, likely looking for lateral movement paths.
Mora_001 focused on compromising high-value targets within the victims’ environments, such as servers and domain controllers, using WMIC for remote system discovery and SSH for access. The file-encrypting ransomware was executed only after data exfiltration was completed.
“In one confirmed case, the attacker focused on identifying and compromising file servers, which became primary targets for data exfiltration and ransomware deployment. Instead of encrypting the entire network, the attacker selectively encrypted file servers containing sensitive data,” Forescout explains.
Compared to LockBit 3.0, SuperBlack drops a modified ransom note and uses a different data exfiltration executable, but drops a wiper component previously associated with LockBit and BrainCipher. Dubbed WipeBlack, it removes evidence of the ransomware executable after encryption.
Related: Medusa Ransomware Made 300 Critical Infrastructure Victims
Related: Exploited VMware ESXi Flaws Put Many at Risk of Ransomware, Other Attacks
Related: Vulnerable Paragon Driver Exploited in Ransomware Attacks
Related: New Anubis Ransomware Could Pose Major Threat to Organizations
