Full Report
Two vulnerabilities impacting Fortinet products are being exploited by a new ransomware operation with ties to the LockBit ransomware group.
Analysis Summary
# Threat Actor: Mora\_001
## Attribution & Identity
Mora\_001 is a new ransomware operation identified by security researchers. It is strongly associated with the **LockBit ransomware ecosystem**, leveraging leaked LockBit source code and exhibiting characteristics similar to LockBit 3.0 (LockBit Black). Researchers speculate Mora\_001 is either a current LockBit affiliate or an associate sharing communication channels with the group.
## Activity Summary
Mora\_001 has been actively exploiting two zero-day vulnerabilities in Fortinet products, CVE-2024-55591 and CVE-2025-24472, since at least late January, with attacks confirmed starting February 2nd. The intrusions began with exploiting these vulnerabilities in Fortigate firewall appliances and culminated in the deployment of a newly discovered ransomware strain dubbed **SuperBlack**. This activity blends opportunistic initial access with established ransomware tactics.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of Fortinet Firewall vulnerabilities (CVE-2024-55591 and CVE-2025-24472).
- **Ransomware Development:** Utilizing the **leaked LockBit 3.0 builder**.
- **Customization:** Modifying the ransom note structure by removing LockBit branding.
- **Exfiltration:** Employing a custom data exfiltration executable.
- **Tooling Blending:** Activity shows blended tactics potentially referencing other groups like BlackCat/ALPHV in ransom note structure or tooling patterns.
## Targeting
- Sectors: Primary targets appear to be organizations running internet-facing Fortigate firewall appliances. (General sector information is limited, but the initial access vector suggests reliance on vulnerable perimeter devices).
- Geography: Not explicitly mentioned, but the targeting of publicly exposed appliances suggests a broad, opportunistic reach.
- Victims: Specific organizations were not named in the provided text.
## Tools & Infrastructure
- **Malware Families used:** SuperBlack (a variant closely resembling LockBit 3.0/LockBit Black).
- **Infrastructure (C2, domains, IPs):** Not specified in detail.
- **Shared Resources:** Leveraging the leaked LockBit 3.0 builder.
## Implications
Mora\_001 represents an evolution in the LockBit threat following the international law enforcement disruption of the primary LockBit infrastructure. The group demonstrates agility by rapidly adopting unpatched Fortinet zero-days and customizing core LockBit components (like the builder) to evade attribution, maintaining a high-impact ransomware capability. Due to their reliance on known vulnerabilities, they are likely targeting the patch-lag within organizations.
## Mitigations
- Immediately apply patches released by Fortinet for CVE-2024-55591 and CVE-2025-24472 on all FortiGate firewall appliances.
- Harden firewall configurations, especially management interfaces exposed to the public internet, as targeting of these interfaces was observed as early as December.
- Assume that actors leveraging leaked builders are attempting to evade known threat intelligence signatures; continuous monitoring for unusual post-exploitation activity is crucial.