Hackers linked to the infamous LockBit ransomware gang are exploiting two Fortinet firewall vulnerabilities. This is to infiltrate company networks and deploy a custom ransomware strain known as “SuperBlack.”
In a report released last week, researchers from Forescout Research revealed that a group they are tracking as “Mora_001” is leveraging these vulnerabilities to breach Fortinet firewalls. Positioned at the network’s edge, these firewalls serve as digital gatekeepers. Making them prime targets for attackers seeking entry into corporate systems.
Mora_001 has been actively exploiting the first vulnerability, labeled CVE-2024-55591, since December 2024. Forescout also discovered that the group is using a second flaw, CVE-2025-24472, in their attacks. Although Fortinet released patches for both vulnerabilities in January, several organizations have yet to implement them, leaving their systems exposed.
Sai Molige, Forescout’s senior manager of threat hunting, confirmed that the team has investigated three separate incidents involving different companies. However, he suspects that additional organizations may also have been compromised. In one confirmed case, Mora_001 selectively encrypted file servers holding sensitive data, but only after stealing the information.
“Mora_001 stole the data first, then deliberately executed the encryption, reflecting the growing trend among ransomware groups to prioritize data theft over immediate disruption,” Molige explained.
Forescout’s analysis revealed that Mora_001 operates with a distinct signature closely tied to the LockBit gang, which U.S. authorities disrupted last year. According to Molige, the SuperBlack ransomware leverages code from the leaked LockBit 3.0 builder. The group’s ransom note uses the same messaging address previously linked to LockBit operations.
“This overlap suggests Mora_001 could be an active LockBit affiliate with unique tactics or an allied group sharing communication resources,” Molige added.
Stefan Hostetler, head of threat intelligence at cybersecurity firm Arctic Wolf, noted that Mora_001 specifically targets organizations that failed to patch or harden their firewalls.
He also pointed out that the ransom note used in these attacks closely resembles those from other ransomware groups, including the now-defunct ALPHV/BlackCat gang.
Forescout’s findings highlight the urgent need for organizations to apply security patches and review their firewall configurations to prevent similar ransomware attacks.
