Full Report
Security researchers say that a threat actor it calls Mora_001 has ‘close ties’ to the Russia-linked hacking group © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Threat Actor: Mora_001 (Linked to LockBit)
## Attribution & Identity
* **Identified by:** Forescout Research.
* **Known Aliases/Associations:** The group "Mora\_001" exhibits a distinct operational signature with **"close ties" to the LockBit ransomware gang**.
## Activity Summary
Mora\_001 is currently engaged in exploiting known vulnerabilities in Fortinet firewalls to gain initial access to corporate networks. The primary goal appears to be deploying a custom ransomware strain named **"SuperBlack"**. Security researchers have observed the actor selectively encrypting file servers after first exfiltrating sensitive data, indicating a focus on data theft alongside disruption.
## Tactics, Techniques & Procedures
- Exploiting publicly disclosed vulnerabilities (Zero-day/N-day exploitation).
- Gaining initial access via network edge devices (Fortinet firewalls).
- Deploying custom ransomware ("SuperBlack").
- Prioritizing data exfiltration *before* encryption, adhering to modern ransomware trends.
## Targeting
* **Sectors:** Not explicitly detailed, but focused on organizations utilizing Fortinet firewalls (likely Enterprise/Corporate environments).
* **Geography:** Mentioned in the context of Forescout investigating "three events in different companies," without specific geographic pinning.
* **Victims:** At least three different company networks investigated by Forescout.
## Tools & Infrastructure
* **Malware Families Used:** Custom ransomware strain named **"SuperBlack"**.
* **Infrastructure:** Exploiting Fortinet firewall vulnerabilities:
* CVE-2024-55591 (Exploitation observed since December 2024)
* CVE-2025-24472
## Implications
The use of easily identifiable, recently patched vulnerabilities in critical perimeter devices (firewalls) suggests a threat actor focused on speed and leveraging readily available exploit information. The connection to the notorious LockBit group (even post-disruption claims) implies experienced operators with advanced ransomware capabilities, specifically executing a double-extortion model (exfiltration preceding encryption).
## Mitigations
- Immediately apply patches released by Fortinet for CVE-2024-55591 and CVE-2025-24472.
- Review network perimeter security, specifically Fortinet devices, for signs of compromise preceding the observed encryption events (active exploitation ongoing since December 2024).
- Enhance monitoring for post-exploitation activity, focusing on data staging and exfiltration paths following firewall compromise.