SuperBlack Ransomware Exploits Fortinet Vulnerabilities: A New Cyber Threat Emerges
A Russian-linked threat actor, identified as Mora_001, has been actively exploiting vulnerabilities in Fortinet firewalls to deploy a new ransomware variant known as SuperBlack. Security researchers at Forescout have uncovered this sophisticated campaign, highlighting the threat actor’s ties to established ransomware gangs and their use of advanced post-exploitation techniques.
The Exploited Vulnerabilities
Mora_001 has been observed targeting two critical vulnerabilities in Fortinet’s FortiOS and FortiProxy:
CVE-2024-55591 – A zero-day privilege escalation vulnerability that allows attackers to gain super-admin access.
CVE-2025-24472 – An additional attack vector that was disclosed in February 2025.
Fortinet released patches for CVE-2024-55591 in January, but attackers quickly leveraged a proof-of-concept (PoC) exploit that was publicly shared on January 27. Within just four days, Mora_001 was actively exploiting it in attacks.
Attack Methodology
The Mora_001 hacking group follows a structured attack strategy that includes:
Gaining Administrative Access
Creating local system admin accounts using a chaining method, where each new account generates additional ones.
Downloading firewall configuration files to extract critical information.
System Manipulation & Persistence
Modifying system settings to maintain control.
Creating automated scripts that recreate the super-admin user if deleted.
Establishing local VPN user accounts for sustained access.
Reconnaissance & Lateral Movement
Using built-in FortiGate dashboards for network reconnaissance.
Attempting to log into other firewalls within the victim’s environment.
Utilizing Windows Management Instrumentation Command-line (WMIC) and SSH to navigate compromised systems.
Targeted Ransomware Deployment
Focusing on high-value targets like file servers and domain controllers.
Exfiltrating sensitive data before executing the ransomware payload.
Selectively encrypting file servers rather than the entire network.
SuperBlack vs. LockBit: Key Differences
SuperBlack ransomware appears to be derived from a leaked LockBit builder but incorporates notable modifications:
Uses a distinct ransom note format.
Deploys a different data exfiltration tool.
Integrates a wiper component (WipeBlack), which erases traces of the ransomware executable post-encryption.
These changes indicate that while SuperBlack shares a lineage with LockBit, it represents a distinct and evolving threat.
Mitigation and Protection Measures
To defend against SuperBlack ransomware attacks, organizations using Fortinet products should:
Immediately apply security patches for CVE-2024-55591 and CVE-2025-24472.
Monitor firewall configurations for unauthorized changes or newly created admin accounts.
Restrict VPN access and enforce multi-factor authentication (MFA).
Conduct regular network audits to identify lateral movement and privilege escalation attempts.
Backup critical data and ensure an effective disaster recovery plan is in place.
No comments:
Post a Comment