Security researchers have noticed hackers linked to the infamous LockBit gang exploiting a pair of Fortinet firewall vulnerabilities to deploy ransomware on a number of firm networks.
In a report revealed final week, safety researchers at Forescout Research stated a bunch it’s monitoring dubbed “Mora_001” is exploiting the Fortinet firewalls, which sit on the sting of an organization’s community and act as digital gatekeepers, to interrupt in and deploy a customized ransomware pressure they name “SuperBlack.”
One of the vulnerabilities, tracked as CVE-2024-55591, has been exploited in cyberattacks to breach the company networks of Fortinet clients since December 2024. Forescout says a second bug, tracked as CVE-2025-24472, can also be being exploited by Mora_001 in assaults. Fortinet launched patches for each bugs in January.
Sai Molige, senior supervisor of risk looking at Forescout, instructed TechCrunch that the cybersecurity agency has “investigated three occasions in several corporations, however we imagine there might be others.”
In one confirmed intrusion, Forescout stated it noticed the attacker “selectively” encrypting file servers containing delicate information.
“The encryption was initiated solely after information exfiltration, aligning with latest traits amongst ransomware operators who prioritize information theft over pure disruption,” stated Molige.
Forescout says the Mora_001 risk actor “displays a definite operational signature,” which the agency says has “shut ties” to the LockBit ransomware gang, which was final yr disrupted by U.S. authorities. Molige stated the SuperBlack ransomware is predicated on the leaked builder behind the malware utilized in LockBit 3.0 assaults, whereas a ransom observe utilized by Mora_001 contains the identical messaging tackle utilized by LockBit.
“This connection might point out that Mora_001 is both a present affiliate with distinctive operational strategies or an affiliate group sharing communication channels,” Molige stated.
Stefan Hostetler, head of risk intelligence at cybersecurity agency Arctic Wolf, which beforehand noticed exploitation of CVE-2024-55591, tells TechCrunch that Forescout’s findings recommend hackers are “going after the remaining organizations who had been unable to use the patch or harden their firewall configurations when the vulnerability was initially disclosed.”
Hostetler says the ransom observe utilized in these assaults bears similarities to that of different teams, such because the now-defunct ALPHV/BlackCat ransomware gang.
Fortinet didn’t reply to TechCrunch’s questions.