Dive Brief:
- A newly discovered ransomware strain, tracked as SuperBlack, has been used in a series of attacks targeting critical vulnerabilities in Fortinet since late January, according to a report by Forescout Research-Vedere Labs.
- The attacks involved exploitation of two vulnerabilities, CVE-2024-55591 and CVE-2025-24472, which can allow unauthenticated attackers to gain super admin privileges on FortiOS firewalls.
- Researchers link the attacks to a threat actor — tracked as Mora_001 — that has operational overlaps with LockBit ransomware operations.
Dive Insight:
Researchers observed active exploitation using two distinct methods within days after a proof-of-concept exploit was released on Jan. 27, according to the Forescout Research blog post.
In certain cases, the attacks involved exploiting the WebSocket vulnerability through a vulnerability in the jconsole interface.
In other cases, exploitation occurred using direct HTTPS requests. While this method looks different in logs, researchers said the same underlying vulnerability is targeted.
Initial login attempts were made using randomly generated five-character usernames. The threat actor then created local system admin users.
Researchers said the largest number of exposed FortiGate firewalls are in the U.S. with 7,677, followed by India and Brazil.
