Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Researchers have observed a new ransomware variant being deployed via a pair of vulnerabilities in FortiGate firewall appliances.
A new ransomware actor with possible ties to LockBit and its affiliates has been observed deploying a unique ransomware variant, taking advantage of two vulnerabilities in FortiGate firewall appliances.
Analysts at Forescout Research – Vedere Labs are attributing the attacks to a threat actor they are dubbing Mora_011, a name inspired by Slavic mythology, as the hackers appear to be Russian speakers.
“Mora_001’s relationship to the broader LockBit’s ransomware operations underscore the increased complexity of the modern ransomware landscape – where specialised teams collaborate to leverage complementary capabilities,” Forescout said in a 12 March blog post.
Mora_011 achieves initial access via CVE-2024-55591 and CVE-2025-24472, which are authentication bypass bugs in FortiOS and FortiProxy. Once access is gained, the threat actors escalate their privileges on the network, create multiple admin accounts to gain persistence, and then engage in network reconnaissance before attempting lateral movement.
The process concludes with the deployment of a ransomware variant Forescout is calling SuperBlack – a modified version of the LockBit 3.0 malware.
The ransomware note left behind uses the same TOX messaging ID that LockBit used to use, which may mean the actor is a LockBit affiliate or an associated actor taking advantage of the same means of communication.
“The post-exploitation patterns observed enabled us to define a unique operational signature that sets Mora_001 apart from other ransomware operators, including LockBit affiliates,” Forescout said.
“This consistent operational framework suggests a distinct threat actor with a structured playbook, rather than multiple operators following a generalised LockBit methodology.”
Stefan Hostetler, lead threat intelligence research at Arctic Wolf, said that ransomware operators are “always on the hunt” for new sources of income, and finding unpatched network devices is a key part of the ransomware process.
“The good news in this case is that the patch previously released by Fortinet should cover both vulnerabilities. The latest reports suggest that threat actors are going after the remaining organisations who were unable to apply the patch or harden their firewall configurations when the vulnerability was originally disclosed,” Hostetler said.
Hostetler added that cyber criminals are skilled at taking advantage of organisations that fail to patch important vulnerabilities.
“The threat actor tied to the ransomware campaign described by Forescout appears to be using a familiar set of tools seen in past ransomware activity, while adapting their initial access techniques. When the LockBit 3.0 builder leaked in 2022, numerous groups began using it for their own independent campaigns, and this threat actor appears to be doing the same,” Hostetler said.
“Additionally, the structure of the ransom note bears similarities to that of other groups, such as the now-defunct BlackCat/ALPHV ransomware variant. This illustrates how the threat actors hiding behind ransomware group names rebrand and adapt as their incentives and alliances evolve over time.
“For organisations who haven’t yet, our recommendation would be to patch this vulnerability as soon as possible and to review your firewall security configuration to avoid falling victim to this and other similar campaigns.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
