Attacks exploiting a pair of Fortinet FortiGate firewall authentication bypass vulnerabilities, tracked as CVE-2024-55591 and CVE-2025-24472, have been launched by the newly-emergent Mora_001 threat operation to facilitate the spread of the novel LockBit 3.0-based SuperBlack ransomware since January, reports SC Media.
Forescout researchers reported that after infiltrating vulnerable Fortinet firewalls and securing "super_admin" privileges, Mora_001 proceeded with establishing privileged accounts and creating local user accounts typosquatting legitimate users in firewalls with VPN capabilities for persistence. They also exploited authentication infrastructure in those without for further firewall compromise.
Intelligence obtained through numerous FortiGate dashboards, a VPN brute-forcing tool, and Windows Management Instrumentation have also been leveraged by Mora_001 to compromise authentication, file, and database servers, as well as domain controllers with SuperBlack. It was later removed using a wiper tool.
Aside from SuperBlack being derived from LockBit 3.0, Mora_001's ransom note also had a TOX chat ID previously found to be associated with LockBit, while its WipeBlack wiper was tied to both LockBit and BrainCipher. Such a link between both operations indicates the ransomware landscape's increasingly intertwined nature, according to the Forescout researchers.
