Safety researchers have noticed hackers linked to the infamous LockBit gang exploiting a pair of Fortinet firewall vulnerabilities to deploy ransomware on a number of firm networks.
In a report published last week, safety researchers at Forescout Analysis stated a bunch it’s monitoring dubbed “Mora_001” is exploiting the Fortinet firewalls, which sit on the sting of an organization’s community and act as digital gatekeepers, to interrupt in and deploy a customized ransomware pressure they name “SuperBlack.”
One of many vulnerabilities, tracked as CVE-2024-55591, has been exploited in cyberattacks to breach the company networks of Fortinet prospects since December 2024. Forescout says a second bug, tracked as CVE-2025-24472, can be being exploited by Mora_001 in assaults. Fortinet launched patches for each bugs in January.
Sai Molige, senior supervisor of risk looking at Forescout, instructed TechCrunch that the cybersecurity agency has “investigated three occasions in numerous corporations, however we consider there may very well be others.”
In a single confirmed intrusion, Forescout stated it noticed the attacker “selectively” encrypting file servers containing delicate knowledge.
“The encryption was initiated solely after knowledge exfiltration, aligning with latest tendencies amongst ransomware operators who prioritize knowledge theft over pure disruption,” stated Molige.
Forescout says the Mora_001 risk actor “reveals a definite operational signature,” which the agency says has “shut ties” to the LockBit ransomware gang, which was final yr disrupted by U.S. authorities. Molige stated the SuperBlack ransomware is predicated on the leaked builder behind the malware utilized in LockBit 3.0 assaults, whereas a ransom notice utilized by Mora_001 consists of the identical messaging tackle utilized by LockBit.
“This connection might point out that Mora_001 is both a present affiliate with distinctive operational strategies or an affiliate group sharing communication channels,” Molige stated.
Stefan Hostetler, head of risk intelligence at cybersecurity agency Arctic Wolf, which previously observed exploitation of CVE-2024-55591, tells TechCrunch that Forescout’s findings recommend hackers are “going after the remaining organizations who have been unable to use the patch or harden their firewall configurations when the vulnerability was initially disclosed.”
Hostetler says the ransom notice utilized in these assaults bears similarities to that of different teams, such because the now-defunct ALPHV/BlackCat ransomware gang.
Fortinet didn’t reply to TechCrunch’s questions.