Fortinet Firewall Vulnerabilities: Hackers Targeting Bugs to Deploy Ransomware
Recent reports indicate that security researchers have detected hackers associated with the infamous LockBit gang exploiting vulnerabilities in Fortinet firewalls to deploy ransomware across various company networks. This alarming development underscores the critical need for organizations to prioritize cybersecurity measures.
Exploitation of Fortinet Firewall Vulnerabilities
According to a report from Forescout Research, a group identified as “Mora_001” has been actively exploiting Fortinet firewalls, which serve as crucial digital gatekeepers for corporate networks. These vulnerabilities enable the deployment of a custom ransomware strain known as “SuperBlack.”
Details of the Vulnerabilities
Two specific vulnerabilities have been highlighted in the attacks:
- CVE-2024-55591: This vulnerability has been actively exploited since December 2024, leading to breaches in corporate networks.
- CVE-2025-24472: Another bug that Mora_001 is leveraging for their attacks.
Fortinet released patches for both vulnerabilities in January, but security experts warn that many organizations may still be at risk.
Intrusions and Data Theft
Sai Molige, the senior manager of threat hunting at Forescout, mentioned to TechCrunch that they have investigated multiple incidents across different companies, indicating a broader threat landscape. In one verified case, Forescout observed attackers selectively encrypting file servers that housed sensitive information.
Molige noted, “The encryption was initiated only after data exfiltration, aligning with recent trends among ransomware operators who prioritize data theft over pure disruption.” This approach highlights the evolving tactics of cybercriminals.
Connection to LockBit Ransomware Gang
Forescout asserts that the Mora_001 group exhibits a distinct operational signature closely linked to the LockBit ransomware gang, which was disrupted by U.S. authorities last year. The SuperBlack ransomware is reportedly based on the leaked builder associated with LockBit 3.0 attacks, and the ransom note used by Mora_001 features the same messaging address as LockBit.
Molige speculated, “This connection could indicate that Mora_001 is either a current affiliate with unique operational methods or an associate group sharing communication channels.”
Cybersecurity Insights
Stefan Hostetler, head of threat intelligence at Arctic Wolf, commented on Forescout’s findings, suggesting that hackers are targeting organizations that were unable to apply the necessary patches or secure their firewall configurations after the vulnerabilities were disclosed. He also noted that the ransom note bears resemblances to those from other groups, including the now-defunct ALPHV/BlackCat ransomware gang.
Despite the severity of these findings, Fortinet has not yet responded to inquiries from TechCrunch regarding the issue. It remains imperative for organizations to remain vigilant and ensure their cybersecurity measures are up-to-date.
Conclusion
As cyber threats continue to evolve, companies must take proactive steps to secure their networks. By addressing vulnerabilities and staying informed about emerging threats, organizations can better protect themselves against ransomware attacks like those perpetrated by the Mora_001 group.
