New Ransomware Operator Exploits Fortinet Vulnerability Duo
Summary:
A new ransomware group, dubbed SuperBlack (also referred to as "Mora_001"), was recently discovered by researchers at Forescout. This group has been exploiting two authentication bypass vulnerabilities (CVE-2024-55591 and CVE-2025-24472) affecting Fortigate firewall appliances. Between January and early March of this year, SuperBlack carried out a series of intrusions, using these vulnerabilities to gain super admin privileges on vulnerable FortiOS devices with exposed management interfaces. The exploitation was carried out through two primary methods: WebSocket-based attacks via the jsconsole interface and direct HTTPS requests. After a successful exploitation, SuperBlack was observed creating local system admins users (forticloud-tech, fortigate-firewall and adnimistrator (misspelled administrator) and downloading the firewall configuration file, which contained sensitive information like policies, routes, keys, and VPN settings. Based on logs observed by ForeScout, the actor made changes to system configurations and further set up a scripted automation task to resynchronize the forticloud-sync user with a super_admin profile and a known password daily at a specified time. This automation ensures that even if the local account is removed, it will be recreated automatically through the "system.automation-action.”
In the event that the firewall had VPN capabilities, SuperBlack would proceed to create local VPN accounts resembling legitimate ones, further manually assigning them a password and adding them to the VPN user group. This would ensure future logins and enable SuperBlack to maintain persistent access even if the initial entry point was discovered. From here, SuperBlack was observed identifying potential paths for lateral movement, by leveraging built-in FortiGate dashboards (Status Dashboard, Security Dashboard, Network Dashboard, Users & Devices dashboard, WiFi Dashboard) to gather environmental intelligence. Using firewall configurations, dashboard insights, and network access (via VPN or direct authentication), SuperBlack moved laterally within the network, targeting high-value assets such as file servers, authentication servers, domain controllers, and database servers. The actor primarily used Windows Management Instrumentation (WMIC) for remote system discovery and execution, and SSH to access additional systems, especially servers and network devices.
Security Officer Comments:
In the intrusions identified by Forescout, SuperBlack primarily targeted file servers, which became key assets for data exfiltration and ransomware deployment. Researchers noted that SuperBlack's encryptor closely resembles LockBit 3.0 and was built using LockBit's leaked builder. The ransom note left behind by SuperBlack contains a Tox chat ID linked to LockBit 3.0, suggesting that the operator is either a current or former affiliate using LockBit’s leaked builder or an independent actor leveraging its infrastructure and tools. While the note follows LockBit 3.0’s HTML template, it omits key branding elements, including the header and LockBit’s data leak site.
Additionally, Forescout discovered that SuperBlack deployed a wiper binary called WipeBlack, which is designed to erase traces of the ransom executable after encryption. WipeBlack has previously been observed in incidents tied to LockBit, and its builder is also associated with the leaked LockBit builder, further reinforcing the connection to LockBit-linked ransomware operations.
Suggested Corrections:
Recommendations from ForeScout:
https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/
A new ransomware group, dubbed SuperBlack (also referred to as "Mora_001"), was recently discovered by researchers at Forescout. This group has been exploiting two authentication bypass vulnerabilities (CVE-2024-55591 and CVE-2025-24472) affecting Fortigate firewall appliances. Between January and early March of this year, SuperBlack carried out a series of intrusions, using these vulnerabilities to gain super admin privileges on vulnerable FortiOS devices with exposed management interfaces. The exploitation was carried out through two primary methods: WebSocket-based attacks via the jsconsole interface and direct HTTPS requests. After a successful exploitation, SuperBlack was observed creating local system admins users (forticloud-tech, fortigate-firewall and adnimistrator (misspelled administrator) and downloading the firewall configuration file, which contained sensitive information like policies, routes, keys, and VPN settings. Based on logs observed by ForeScout, the actor made changes to system configurations and further set up a scripted automation task to resynchronize the forticloud-sync user with a super_admin profile and a known password daily at a specified time. This automation ensures that even if the local account is removed, it will be recreated automatically through the "system.automation-action.”
In the event that the firewall had VPN capabilities, SuperBlack would proceed to create local VPN accounts resembling legitimate ones, further manually assigning them a password and adding them to the VPN user group. This would ensure future logins and enable SuperBlack to maintain persistent access even if the initial entry point was discovered. From here, SuperBlack was observed identifying potential paths for lateral movement, by leveraging built-in FortiGate dashboards (Status Dashboard, Security Dashboard, Network Dashboard, Users & Devices dashboard, WiFi Dashboard) to gather environmental intelligence. Using firewall configurations, dashboard insights, and network access (via VPN or direct authentication), SuperBlack moved laterally within the network, targeting high-value assets such as file servers, authentication servers, domain controllers, and database servers. The actor primarily used Windows Management Instrumentation (WMIC) for remote system discovery and execution, and SSH to access additional systems, especially servers and network devices.
Security Officer Comments:
In the intrusions identified by Forescout, SuperBlack primarily targeted file servers, which became key assets for data exfiltration and ransomware deployment. Researchers noted that SuperBlack's encryptor closely resembles LockBit 3.0 and was built using LockBit's leaked builder. The ransom note left behind by SuperBlack contains a Tox chat ID linked to LockBit 3.0, suggesting that the operator is either a current or former affiliate using LockBit’s leaked builder or an independent actor leveraging its infrastructure and tools. While the note follows LockBit 3.0’s HTML template, it omits key branding elements, including the header and LockBit’s data leak site.
Additionally, Forescout discovered that SuperBlack deployed a wiper binary called WipeBlack, which is designed to erase traces of the ransom executable after encryption. WipeBlack has previously been observed in incidents tied to LockBit, and its builder is also associated with the leaked LockBit builder, further reinforcing the connection to LockBit-linked ransomware operations.
Suggested Corrections:
Recommendations from ForeScout:
- Patch vulnerable systems: Apply FortiOS updates addressing CVE-2024-55591 and CVE-2025-24472 immediately.
- Restrict management access: Disable external management access to firewalls whenever possible.
- Audit administrator accounts: Regularly review all administrator accounts and remove any unauthorized or unexpected users.
- Examine automation settings: Check for unauthorized automation tasks, particularly those set to run daily or during off-hours.
- Review VPN users: Audit all VPN users and groups for slight variations of legitimate usernames or recently created accounts without clear business justification.
- Enable comprehensive logging: A common gap in investigations is the lack of comprehensive logging. Ensure the following are enabled: CLI audit logs on FortiGate, HTTP/S traffic logs to/from firewalls, Network Policy Server (NPS) auditing for authentication events, Authentication system auditing set to record both success and failures (rather than just failures). Comprehensive logging enhances detection, investigation and proactive threat hunting.
https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/