Hackers Exploit Fortinet Firewall Bugs to Plant Ransomware

Security researchers have discovered that hackers linked to the notorious LockBit gang are exploiting a pair of Fortinet firewall vulnerabilities to deploy ransomware on several company networks. The vulnerabilities, tracked as CVE-2024-55591 and CVE-2025-24472, were patched by Fortinet in January, but it appears that some organizations failed to apply the updates in time.

According to Forescout Research, a group dubbed "Mora_001" is behind the attacks, which involve using custom ransomware called "SuperBlack." The researchers have observed that the attackers selectively encrypt file servers containing sensitive data after exfiltrating it, a trend seen among recent ransomware operators who prioritize data theft over pure disruption.

"The encryption was initiated only after data exfiltration, aligning with recent trends among ransomware operators who prioritize data theft over pure disruption," said Sai Molige, senior manager of threat hunting at Forescout. "This connection could indicate that Mora_001 is either a current affiliate with unique operational methods or an associate group sharing communication channels."

Forescout's findings suggest that hackers are targeting organizations that were unable to apply the patch or harden their firewall configurations when the vulnerability was originally disclosed.

The Connection to LockBit Gang

Stefan Hostetler, head of threat intelligence at cybersecurity firm Arctic Wolf, notes that Forescout's findings suggest that hackers are "going after the remaining organizations who were unable to apply the patch or harden their firewall configurations when the vulnerability was originally disclosed."

"The ransom note used in these attacks bears similarities to that of other groups, such as the now-defunct ALPHV/BlackCat ransomware gang," Hostetler said.

The Rise of Custom Ransomware

Fortinet released patches for both bugs in January, but it appears that some organizations failed to apply them in time. The SuperBlack ransomware is based on the leaked builder behind the malware used in LockBit 3.0 attacks, and the ransom note includes the same messaging address used by LockBit.

"This connection could indicate that Mora_001 is either a current affiliate with unique operational methods or an associate group sharing communication channels," Molige said.

Fortinet's Response

Fortinet did not respond to TechCrunch's questions about the vulnerability and the attacks. However, the company has released patches for both bugs in January.

Prevention is Key

This incident highlights the importance of timely patching and hardening one's firewall configurations. Organizations that failed to apply the patches in time are now facing the consequences.

"The attack demonstrates how attackers can exploit vulnerabilities in firewalls to gain unauthorized access to systems," said Molige. "This emphasizes the need for organizations to stay vigilant and keep their security up-to-date."