New kids on the ransomware block channel Lockbit to raid Fortinet firewalls

March 14, 2025 TH Author

Researchers are tracking a newly discovered ransomware group with suspected links to LockBit after a series of intrusions were reported starting in January.

Forescout said the group it’s tracking as Mora_001 exploited two Fortinet vulnerabilities to gain an initial foothold in victim environments before securing persistence and ultimately deploying a new ransomware researchers dubbed SuperBlack.

Both CVE-2024-55591 and CVE-2025-24472 are authentication bypass vulnerabilities disclosed by Fortinet in January. The former was disclosed first as a zero-day, since exploit activity went back to December 2024, and the latter was added to the advisory after the fact.

At the time of CVE-2024-55591’s disclosure on January 14, researchers already said criminals were running a “mass exploitation campaign” against the vendor’s firewalls.

A proof-of-concept (PoC) exploit made its way online on January 27 and within 96 hours, Forescout said, FortiOS was being actively exploited using that PoC as a guide.

After gaining an initial foothold, attackers then escalated their privileges to super-admin and created additional admin accounts to secure persistent access. The attackers named these accounts similarly to existing legitimate ones, just with a single added digit appended, and added them to a VPN group to blend in and go unnoticed during casual admin reviews, researchers assume.

In cases where victims had no VPN capabilities, attackers would try to gain access to adjacent firewalls using the credentials created on the pwned Fortinet box.

They did this using one of two methods. The first, which applied to firewalls deployed in high availability (HA) mode, attackers exploited that HA functionality to copy the compromised configuration to other firewalls within the same cluster, said Forescout’s senior manager of threat hunting, Sai Molige.

“By triggering the HA sync process, they ensured that their backdoor accounts and automation scripts were replicated across the devices,” wrote Molige.

The other way of gaining persistence was used when target firewalls were using either the TACACS+ or RADIUS protocols. Attackers would VPN into the network and try to authenticate themselves through the Network Policy Server (NPS).

“This method could succeed if any of the locally created users were also synchronized with Active Directory (AD) or via a Radius Community secret,” said Molige.

Once their access was secured, the attackers accessed various FortiGate dashboards for clues regarding lateral movement possibilities, mainly using SSH to access high-value systems such as file servers, domain controllers, and other network infrastructure.

From there, it was a typical double extortion ransomware scenario. Steal data, encrypt the most sensitive stuff, and extort the victim for a payout.

The LockBit link

The ransomware payload used in the cases examined by Forescout was based on LockBit 3.0 or LockBit Black, whichever term of address you prefer.

It’s hardly the breakthrough finding that says with absolute certainty that the group had ties to the infamous former behemoth of the ransomware industry, since many modified ransomware payloads have been built off the back of it.

LockBit Black was leaked in September 2022 and given LockBit’s dominance in the ransomware scene, many budding bad guys hopped on the leaks and used the major player’s proprietary tool as their own, making modifications here and there.

Mora_001 was no different. It made small tweaks to the ransom note, removed the LockBit branding from everything, and used a custom data exfiltration module. Forescout calls this variant SuperBlack.

Aside from the same underlying code, Molige said there were other signs of a link between Mora_001 and LockBit, such as its post-exploitation patterns and the fact that the ransom note retained a qTox ID known to be used by LockBit.

qTox, or Tox, is an encrypted messenger favored by many ransomware groups. A Tox ID is the specific string of digits used to identify and start chatting with a specific user. The presence of a LockBit Tox ID, which was likely used as the main line for negotiating a ransom demand, is a strong indicator that the attackers were at least in some small part tied to LockBit.

“This connection could indicate that Mora_001 is either a current affiliate with unique operational methods or an associate group sharing communication channels,” said Molige.

Further analysis of the Tox ID led the Forescout team to other malware samples on VirusTotal, which also came loaded with other features such as a data wiper associated with previous BlackMatter and BrainCipher attacks.

According to ShadowServer data as of Wednesday, India (4,631) and the US (3,863) had the most internet-exposed firewalls without having applied the patch for CVE-2024-55591. When it comes to mitigating attacks, Forescout recommends users not be a part of the few who still haven’t patched.

At least the numbers have improved since January. We reported a week after disclosure that nearly 50,000 Fortinet users hadn’t patched the mass-exploited bug – 20,687 in Asia and 12,866 in North America.

The researchers said it’s also a good idea to audit admin accounts for any rogue entries. The same applies to VPN users. Disabling external management access to firewalls is another good call. ®