SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities

SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities

Alex Cipher's Profile Pictire Alex Cipher 5 min read

The emergence of the SuperBlack ransomware, orchestrated by the cybercriminal group Mora_001, has spotlighted critical vulnerabilities within Fortinet’s security infrastructure. These vulnerabilities, identified as CVE-2024-55591 and CVE-2025-24472, are authentication bypass flaws in Fortinet’s FortiOS and FortiProxy systems. The first vulnerability was disclosed in January 2024, while the second gained attention following a report by Forescout in February 2025, which confirmed its active exploitation (BleepingComputer). This ransomware campaign underscores the sophisticated tactics employed by cybercriminals, who exploit these flaws to gain ‘super_admin’ privileges and maintain persistence within targeted networks. The attackers’ methodology involves creating new administrator accounts and modifying automation tasks to ensure these accounts are recreated if removed, thereby securing their foothold (BleepingComputer).

Exploitation of Fortinet Vulnerabilities

Vulnerabilities Overview

The new SuperBlack ransomware, operated by the group known as Mora_001, exploits two critical vulnerabilities in Fortinet’s security infrastructure: CVE-2024-55591 and CVE-2025-24472. These vulnerabilities are authentication bypass flaws found in Fortinet’s FortiOS and FortiProxy systems. The first, CVE-2024-55591, was disclosed by Fortinet in January 2024 and was confirmed to have been exploited as a zero-day vulnerability since November 2024. The second, CVE-2025-24472, was initially not acknowledged as exploited until a report by Forescout in February 2025 highlighted its active exploitation (BleepingComputer).

Attack Methodology

The attack chain employed by Mora_001 is highly structured and consistent across different targets. Initially, the attacker gains ‘super_admin’ privileges by exploiting the aforementioned Fortinet vulnerabilities. This is achieved through WebSocket-based attacks, which are a method of communication that allows for real-time data exchange, via the jsconsole interface or by sending direct HTTPS requests to exposed firewall interfaces. Once inside, the attackers create new administrator accounts with names like ‘forticloud-tech’ and ‘fortigate-firewall’ to maintain persistence. They also modify automation tasks to ensure these accounts are recreated if removed (BleepingComputer).

Network Mapping and Lateral Movement

After gaining initial access, the attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network devices, to move within the network. This phase is critical for identifying high-value targets such as file servers, database servers, and domain controllers, which are prioritized for data exfiltration and encryption (BleepingComputer).

Data Exfiltration and Encryption

The final stages of the attack involve data exfiltration and encryption. Mora_001 employs a custom tool to steal data before encrypting files, a tactic used for double extortion. This approach not only disrupts the victim’s operations but also pressures them into paying a ransom to prevent the public release of sensitive information. The ransomware prioritizes encrypting data on file and database servers, as well as domain controllers, to maximize impact (Computer Weekly).

Indicators of Compromise

Forescout has provided an extensive list of indicators of compromise (IoC) associated with SuperBlack ransomware attacks. These IoCs include IP address overlaps with previous LockBit operations, suggesting a potential link between the two groups. Additionally, the use of the WipeBlack tool, previously associated with other ransomware variants like BrainCipher, EstateRansomware, and SenSayQ, further indicates ties to the LockBit ecosystem (BleepingComputer).

Industry Impact and Response

The exploitation of these Fortinet vulnerabilities has significant implications for industries relying on Fortinet’s security solutions. The energy, healthcare, manufacturing, transportation, logistics, and automotive sectors are particularly vulnerable due to their reliance on Fortinet’s infrastructure. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged Fortinet customers to update affected devices to mitigate the risk of exploitation (TechCrunch).

Fortinet’s Mitigation Efforts

Fortinet has been proactive in addressing these vulnerabilities by releasing patches and updates. However, the rapid exploitation of these flaws underscores the need for continuous monitoring and timely application of security updates. Fortinet’s Product Security Incident Response Team (PSIRT) has been working closely with affected organizations to share findings and improve defenses against such attacks (Corvus Insurance).

Broader Cybersecurity Implications

The SuperBlack ransomware campaign highlights the evolving nature of cyber threats, where specialized teams collaborate to exploit vulnerabilities and maximize impact. This trend reflects a shift from traditional “spray and pray” strategies to more targeted attacks, emphasizing the importance of robust cybersecurity measures and collaboration between industry stakeholders (Fortinet).

Recommendations for Organizations

Organizations are advised to implement comprehensive security measures, including regular patch management, network segmentation, and user training. Additionally, leveraging threat intelligence and collaborating with cybersecurity experts can enhance an organization’s ability to detect and respond to emerging threats. By adopting a proactive approach to cybersecurity, organizations can better protect themselves against sophisticated ransomware campaigns like SuperBlack (The Register).

Future Outlook

As cybercriminals continue to exploit vulnerabilities at an alarming rate, the cybersecurity landscape will require ongoing vigilance and adaptation. The SuperBlack ransomware campaign serves as a stark reminder of the need for continuous innovation in security technologies and practices to stay ahead of evolving threats (TechTarget).

Final Thoughts

The SuperBlack ransomware campaign serves as a stark reminder of the evolving nature of cyber threats and the critical need for robust cybersecurity measures. The exploitation of Fortinet vulnerabilities highlights the importance of timely updates and continuous monitoring to protect against sophisticated attacks. Industries heavily reliant on Fortinet’s infrastructure, such as energy, healthcare, and transportation, must heed the warnings and implement comprehensive security strategies (TechCrunch). As cybercriminals continue to refine their tactics, organizations must adopt proactive approaches, leveraging threat intelligence and collaborating with cybersecurity experts to enhance their defenses (The Register). The future of cybersecurity will demand ongoing vigilance and innovation to stay ahead of these ever-evolving threats (TechTarget).

References

Related Articles