A new ransomware group known as ‘Mora_001’ has been identified exploiting two authentication bypass vulnerabilities in Fortinet firewall appliances to deploy a custom ransomware strain named ‘SuperBlack’.
Exploited Vulnerabilities:
CVE-2025-24472: Initially fixed in January 2025, this vulnerability enables remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests. Although Fortinet initially stated they were unaware of active exploitation, recent reports indicate that ‘Mora_001’ began exploiting this flaw as early as February 2, 2025.
CVE-2024-55591: Disclosed by Fortinet in January 2025, this vulnerability allows attackers to bypass authentication by sending crafted requests to the Node.js WebSocket module. It has been actively exploited as a zero-day since at least November 2024
Attack Methodology:
The ‘Mora_001’ group targets unpatched Fortinet devices by exploiting the aforementioned vulnerabilities to gain unauthorized access. Once inside, they deploy the ‘SuperBlack’ ransomware, encrypting data and demanding payment from victims.
Recommendations for Fortinet Device Administrators:
Immediate Patching: Ensure all Fortinet devices are updated to the latest firmware versions that address these vulnerabilities. Fortinet has released patches for both CVE-2024-55591 and CVE-2025-24472.
Review Security Advisories: Regularly consult Fortinet’s security advisories to stay informed about known vulnerabilities and recommended mitigations.
Monitor Network Traffic: Implement continuous monitoring to detect unusual activities that may indicate exploitation attempts.
Restrict Access: Limit access to management interfaces of Fortinet devices to trusted networks and administrators only.
Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification for administrative access.
By proactively addressing these vulnerabilities and strengthening security measures, organizations can mitigate the risks posed by the ‘SuperBlack’ ransomware and similar threats.