Between late January and early March 2025, cybersecurity researchers at Forescout’s Vedere Labs uncovered a series of sophisticated intrusions leveraging critical vulnerabilities discovered within Fortinet systems. Attributed to a newly identified threat actor tracked as “Mora_001,” the attacks culminated in the deployment of a custom ransomware strain dubbed “SuperBlack.” The incidents indicate a systematic approach to infiltrating networks by exploiting known vulnerabilities in FortiOS, showcasing the evolving tactics used by cybercriminals to compromise critical infrastructure.
1. Vulnerabilities in Fortinet Exploited
Mora_001 has demonstrated a structured approach to compromising networks, initiating attacks by exploiting two critical Fortinet vulnerabilities: CVE-2024-55591 and CVE-2025-24472. These security flaws affect FortiOS versions prior to 7.0.16 and allow unauthenticated attackers to gain super_admin privileges on devices with exposed management interfaces. The first method of attack utilized the jsconsole interface, exploiting the WebSocket vulnerability with spoofed IP addresses such as 127.0.0.1 or 8.8.8.8. The second method employed direct HTTPS requests targeting the same underlying vulnerability.
Researchers observed that Mora_001 began exploiting these vulnerabilities just 96 hours after the public release of a proof-of-concept exploit on January 27, 2025. The attackers’ ability to rapidly weaponize disclosed vulnerabilities highlights the urgency of applying security patches. The proficiency of the threat actor in exploiting these specific vulnerabilities underscores the importance of maintaining up-to-date security measures, particularly for perimeter security appliances, which often face significant exposure to external threats.
2. Persistence Techniques Deployed
After obtaining initial access, Mora_001 established persistence in the compromised networks through several advanced techniques. The attackers consistently created local system administrator accounts with names designed to blend in with legitimate services, such as “forticloud-tech,” “fortigate-firewall,” and “adnimistrator” (a deliberate misspelling of “administrator”). These accounts served as backdoors, ensuring that the attackers retained control over the compromised systems.
A particularly insidious technique involved setting up automated tasks to ensure persistence, even after remediation attempts. For instance, the attackers configured daily scripted automation tasks that would automatically recreate administrator accounts if they were removed. One such script included commands to recreate a “forticloud-sync” user with super_admin privileges and a predetermined password. These persistence mechanisms underscore the need for frequent audits and the elimination of unauthorized users to prevent prolonged unauthorized access.
3. Attack Chain and Methods
Mora_001’s attack strategy included configuring High Availability (HA) synchronization to propagate the compromised configuration across multiple firewalls within the same cluster, effectively spreading their backdoor accounts across all devices. After ensuring persistence, Mora_001 conducted extensive reconnaissance using FortiGate dashboards to gather environmental intelligence, accessing the Status, Security, Network, and Users & Devices dashboards to identify potential paths for lateral movement.
In environments utilizing VPN capabilities, the threat actor created additional VPN user accounts resembling legitimate accounts but with subtle modifications, such as adding a digit at the end (e.g., “xxx1”). These newly created accounts were then added to VPN user groups, enabling future network access while evading casual administrative review. This strategic approach underscores the importance of regular reviews of VPN users and groups to detect and eliminate unauthorized or suspicious accounts.
4. Network Traversal Tactics
For lateral movement, Mora_001 leveraged multiple techniques, including using stolen VPN credentials to access internal networks and exploiting High Availability (HA) propagation to compromise additional firewalls. The attackers also abused authentication infrastructure, including TACACS+ or RADIUS, especially when synchronized with Active Directory. Utilizing Windows Management Instrumentation (WMIC) for remote system discovery and execution, as well as SSH to access additional servers and network devices, further facilitated their movement within compromised networks.
The attackers prioritized high-value targets such as file servers, authentication servers, domain controllers, and database servers. Rather than encrypting entire networks indiscriminately, Mora_001 selectively targeted systems containing sensitive data, focusing first on data exfiltration before initiating encryption. This targeted approach demonstrates the nuanced strategies employed by modern ransomware operators, emphasizing the need for comprehensive security measures and detailed monitoring of high-value assets.
5. SuperBlack Ransomware Characteristics
The ransomware deployed by Mora_001, designated “SuperBlack” by researchers, closely resembles LockBit 3.0 (also known as LockBit Black) but features specific modifications. The primary differences lie in the ransom note structure and the inclusion of a custom data exfiltration executable. Despite the cosmetic changes, the ransomware maintains strong connections to the LockBit ecosystem, with similar operational characteristics and infrastructures.
The ransom note includes a Tox chat ID previously linked to LockBit 3.0 operations and retains LockBit’s HTML template structure while removing explicit branding elements. Researchers identified additional samples on VirusTotal with similar ransom notes, tying SuperBlack to import hashes previously associated with BlackMatter, LockBit, and BlackMatte ransomware. This evidence suggests that Mora_001 is either a current or former LockBit affiliate leveraging their leaked builder or an independent actor repurposing LockBit’s infrastructure and tools.
6. Infrastructure and Operating Patterns
The primary SuperBlack executable handles encryption and downloads additional components, including a wiper module designated “WipeBlack.” This component has been observed in previous incidents tied to LockBit and BrainCipher, which have connections to other ransomware families. The wiper employs sophisticated anti-forensic techniques, including dynamic resolution of Windows APIs and the use of named pipes for command execution, complicating static analysis and forensics.
After encryption, the ransomware executable is overwritten with random data, effectively erasing evidence of the initial infection. Mora_001’s operations have been linked to specific infrastructure, including IP address 185.147.124.34, which performed brute force attempts against multiple edge devices. This IP hosts a tool identified as “VPN Brute v1.0.2,” a Russian-language utility designed to brute force credentials for various VPN services and edge devices, targeting a wide range of platforms, including Remote Desktop Web Access, PulseSecure, Outlook Web Access, and more.
7. Mitigations Against the Threat
To protect against Mora_001 and similar threats, organizations should implement the following measures to enhance their security posture:
- Apply patches to systems immediately by installing FortiOS updates covering CVE-2024-55591 and CVE-2025-24472. This is crucial to close the critical security gaps exploited by Mora_001.
- Limit administrative access by turning off external management interfaces whenever feasible. Restricting these interfaces can significantly reduce the surface area vulnerable to exploitation.
- Perform routine checks of admin accounts to find and eliminate unauthorized users. Regular audits can help detect suspicious accounts created by attackers to maintain persistence.
- Inspect automation settings for unusual tasks, particularly those scheduled to run daily or during non-business hours. Automated tasks should be scrutinized to identify and mitigate any malicious activities.
- Check VPN users and groups for slight modifications of legitimate usernames or newly created accounts. Regularly reviewing VPN configurations is essential to detect and remove unauthorized access points.
- Activate detailed logging, including CLI audit logs, HTTP/S traffic logs, Network Policy Server auditing, and authentication system auditing. Comprehensive logging provides the necessary visibility to detect and respond to unauthorized activities effectively.
Steps Forward
Between late January and early March 2025, cybersecurity researchers at Forescout’s Vedere Labs discovered a series of sophisticated cyber attacks that exploited critical vulnerabilities in Fortinet systems. The newly identified threat actor, named “Mora_001,” was responsible for these intrusions. This threat actor used advanced techniques to exploit known vulnerabilities within FortiOS, ultimately deploying a custom ransomware called “SuperBlack.”
The incidents revealed a systematic strategy to breach networks and compromise critical infrastructure. These sophisticated attacks by “Mora_001” highlight the ongoing evolution of cybercriminal tactics in targeting and exploiting weaknesses in security systems. They underscore the importance of timely updates and comprehensive cybersecurity measures in protecting networks from such advanced threats.
The findings by Forescout’s Vedere Labs emphasize the need for organizations to stay vigilant and proactive in identifying and addressing threats promptly, ensuring that their systems are resilient against the ever-changing landscape of cyber threats.
