Threat Report: New Ransomware Operator Exploits Fortinet Vulnerability Duo

A new ransomware operator, dubbed Mora_001, has been exploiting vulnerabilities in Fortinet firewalls to gain unauthorized access and deploy a modified version of LockBit ransomware. This threat actor is leveraging known vulnerabilities CVE-2024-55591 and CVE-2025-24472 to infiltrate networks, create persistent admin accounts, exfiltrate firewall configurations, and use VPN access for lateral movement.

The campaign highlights the increasing trend of exploiting perimeter security appliances and the evolving ransomware landscape. The threat actor selectively targets file servers for encryption after data theft, employing a custom VPN brute-forcing tool and leaving ransom notes that link to LockBit’s Tox chat ID. This sophisticated approach underscores the need for enhanced security measures and vigilant monitoring.

The ransomware deployed by Mora_001 is named SuperBlack. It uses LockBit’s infrastructure but removes any branding, making it difficult to trace back to the original ransomware family. This tactic allows the threat actor to operate under the radar while still benefiting from the robust capabilities of LockBit.

The exploitation of Fortinet vulnerabilities is particularly concerning because these firewalls are often used as the first line of defense in many organizations’ security perimeters. By compromising these devices, the threat actor can gain a foothold within the network and move laterally to other critical systems. The use of persistent admin accounts ensures that even if initial access is detected and mitigated, the attacker retains control over the compromised environment.

The exfiltration of firewall configurations provides valuable information about the network architecture, allowing the threat actor to map out potential targets and identify high-value assets for encryption. This detailed reconnaissance phase enables a more precise and effective ransomware deployment, maximizing the impact on the victim organization.

Lateral movement via VPN access is another critical aspect of this campaign. By using legitimate VPN connections, the threat actor can move undetected through the network, making it challenging to identify malicious activity. This method also allows for the exfiltration of data without raising alarms, as VPN traffic is often trusted and not closely scrutinized.

Selective targeting of file servers for encryption after data theft is a strategic move by Mora_001. By encrypting critical data storage locations, the threat actor ensures that the victim organization faces significant disruption to its operations. The data exfiltration component adds an additional layer of pressure, as the threat of public exposure of sensitive information compels victims to pay the ransom.

The custom VPN brute-forcing tool used by Mora_001 is a testament to the advanced capabilities of this threat actor. Brute-forcing VPN credentials allows for unauthorized access without relying on vulnerabilities in the firewall itself. This multi-faceted approach increases the likelihood of successful infiltration and makes defense more complex.

Ransom notes linking to LockBit’s Tox chat ID are another distinctive feature of this campaign. By directing victims to a specific communication channel, the threat actor can maintain control over the negotiation process and ensure that ransom payments are made promptly. This method also helps in tracking victim responses and adjusting tactics accordingly.

The evolving nature of ransomware threats requires organizations to stay vigilant and proactive in their security measures. Regularly updating firewall firmware, implementing multi-factor authentication (MFA), and conducting thorough vulnerability assessments can help mitigate the risk posed by such threats. Additionally, monitoring network traffic for unusual patterns and employing advanced threat detection tools can provide early warnings of potential attacks.

Organizations should also consider investing in cybersecurity training for employees to recognize phishing attempts and other social engineering tactics that could lead to unauthorized access. Regular backups of critical data, stored offline or in a secure cloud environment, can ensure business continuity even if ransomware encryption occurs.

In conclusion, the emergence of Mora_001 and its exploitation of Fortinet vulnerabilities underscore the need for robust cybersecurity measures. By understanding the tactics, techniques, and procedures (TTPs) employed by this threat actor, organizations can better prepare and defend against similar attacks. Regular updates, vigilant monitoring, and a proactive approach to security are essential in navigating the ever-evolving landscape of cyber threats.

For further information on this report, please refer to the external references provided below:

• https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/
• https://otx.alienvault.com/pulse/67d480f60fd90362549708b6

Please check the following page for additional information: https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/