A newly discovered ransomware group, named Mora_001 by Forescout researchers, has been making headlines for their exploits targeting Fortinet firewalls. By taking advantage of specific vulnerabilities in these systems, they’ve been able to gain unauthorized access and deploy a new ransomware variant, posing a significant risk to organizations worldwide.
The Fortinet Vulnerabilities
Authentication Bypass Exploits
Mora_001 has been exploiting two critical authentication bypass vulnerabilities, CVE-2024-55591 and CVE-2025-24472, both of which have been instrumental in their attacks. The first of these vulnerabilities was a zero-day exploit, active since December 2024, allowing attackers to infiltrate systems undetected. This mass exploitation campaign has drawn widespread attention due to the severity and impact of the vulnerabilities. Specifically, CVE-2024-55591 was disclosed on January 14, with exploit activities already traced back to the previous month. Criminals quickly took advantage of the flaw, using it to establish initial access points in various environments. The second vulnerability, CVE-2025-24472, followed soon after, contributing to Mora_001’s efforts to penetrate and compromise Fortinet firewall defenses.
The widespread exploitation of these vulnerabilities underscores a concerning trend in the cyber threat landscape. Attackers have capitalized on weaknesses in Fortinet firewalls, deploying sophisticated techniques to bypass authentication mechanisms. This strategic exploitation allowed them to blend into network environments and establish persistence. Researchers have labeled this as a “mass exploitation campaign,” given its broad reach and impact. The utilization of zero-day exploits emphasizes the agility and resourcefulness of the Mora_001 group, highlighting their advanced capabilities. Businesses worldwide are now faced with the challenge of addressing these vulnerabilities proactively to thwart potential attacks and safeguard their systems.
Initial Access and Persistence
Once inside, attackers move swiftly to establish persistence. By creating additional administrative accounts that blend in with legitimate ones, they ensure long-term access. These accounts are added to VPN groups, further embedding the malicious entities within the network, making detection and removal exceedingly difficult. One of the cunning methods employed involves the creation of admin accounts that just add a digit to the names of existing legitimate accounts. This tactic enables the attackers to camouflage their presence and avoid detection during routine administrative checks.
This strategic maneuver allows the attackers to maintain their foothold within the compromised network, setting the stage for further malicious activities. By embedding themselves within VPN groups, they secure remote access and facilitate continued operations even if the initial entry points are discovered and addressed. The persistence achieved through these tactics is a critical component of Mora_001’s broader attack strategy. They exhibit a high level of sophistication, demonstrating advanced knowledge of network administration principles and the ability to manipulate system configurations subtly.
Methods of Lateral Movement
High Availability Mode Exploitation
In environments with high availability (HA) configurations, attackers utilize the HA synchronization process to duplicate their malicious configurations across the whole system. This technique effectively spreads backdoor access and automation scripts, securing their presence within the network. The HA synchronization process is typically designed to ensure uninterrupted service and system redundancy; however, attackers have exploited this feature to propagate their nefarious configurations. This results in the duplication of compromised settings across multiple devices, allowing them to control multiple points within the network.
This method of lateral movement is particularly insidious, as it leverages built-in system features intended for resilience and reliability. By manipulating these processes, attackers can embed scripts and backdoor accounts into the firewall configurations seamlessly. This strategic approach ensures persistent access and control over the network, making the eradication of the threat substantially more challenging. Businesses employing HA configurations must remain vigilant, auditing synchronization processes regularly to detect and remediate any signs of unauthorized modifications promptly.
Leveraging VPN Access
For firewalls using TACACS+ or RADIUS authentication protocols, Mora_001 operators manipulate VPN access to authenticate through Network Policy Servers (NPS). This synchronization with Active Directory or through a Radius Community secret allows the attackers to move laterally and maintain access across the network. By leveraging VPN access, attackers take advantage of strong authentication protocols and use them to their benefit. This allows them to blend into legitimate network traffic and remain undetected while accessing critical resources.
The manipulation of these protocols underscores the importance of stringent security measures in organizations employing VPN and centralized authentication systems. Attackers exploit synchronization of locally created users with broader directory services, ensuring their access persists even after initial breach points are addressed. Network administrators must implement robust security practices, monitoring VPN access logs and ensuring strict access controls to mitigate risks. Regular audits of user account configurations and authentication protocols are essential to identify and eliminate unauthorized access vectors contributing to lateral movement within the network.
Exploitation and Data Exfiltration
Intelligence Gathering via FortiGate Dashboards
After gaining control of the system, attackers utilize FortiGate dashboards to map the network for high-value targets, such as file servers and domain controllers. This information is crucial for staging double extortion ransomware attacks, where sensitive data is exfiltrated and then encrypted, putting immense pressure on victims to comply with ransom demands. FortiGate dashboards provide comprehensive insights into network configurations and connected devices, enabling attackers to pinpoint valuable assets within the compromised environment.
This intelligence gathering phase is a critical step in the attackers’ strategy, as it allows them to identify and prioritize targets for data exfiltration and encryption. By focusing on high-value systems, such as file servers and domain controllers, they maximize the impact of their ransomware attacks. Once they have exfiltrated sensitive data, they leverage the threat of exposure to exert additional pressure on victims, demanding ransom payments in exchange for the decryption keys and the promise of not disclosing stolen information. The double extortion tactic increases the likelihood of compliance, as victims face both data loss and potential reputational damage.
Deploying SuperBlack Ransomware
The deployment of SuperBlack, a modified LockBit ransomware variant, marks the critical phase of the attack. With significant code tweaks and the removal of LockBit branding, SuperBlack is tailored to evade detection while still operating under known ransomware methodologies, suggesting a link to the notorious LockBit group. SuperBlack’s code modifications enable it to bypass security measures effectively, while its tailored design ensures a streamlined execution of payloads within compromised networks.
This innovation in ransomware tactics points to a shared knowledge base or affiliation with well-established ransomware syndicates like LockBit. The inclusion of a known LockBit qTox ID within ransom notes further supports these connections, highlighting the collaborative nature of these criminal groups. SuperBlack’s deployment emphasizes the evolving landscape of ransomware threats, with attackers continually adapting and refining their methods to stay ahead of defensive measures. Organizations must therefore adopt a proactive stance, enhancing their detection and response capabilities to mitigate the risks associated with such advanced ransomware variants.
Identified Connections and Broader Implications
Ties to LockBit and Other Ransomware
The discovery of SuperBlack’s LockBit roots involves identifying consistent elements with previous LockBit operations. The known LockBit qTox ID and similarities with other malware, like BlackMatter and BrainCipher, indicate shared practices and perhaps even affiliations between these criminal groups, showcasing sophisticated and modular attack structures. These connections suggest that Mora_001’s operations may be part of a broader ransomware ecosystem, where knowledge and techniques are exchanged to enhance the effectiveness of attacks. By tracing the lineage of SuperBlack, researchers have uncovered a web of interconnected threats, revealing a modular approach to ransomware development.
This modularity facilitates the rapid adaptation and dissemination of ransomware variants, enabling cybercriminals to exploit evolving vulnerabilities and enhance their operational capabilities. The shared techniques and resources also imply a level of cooperation or strategic alignment among these groups, further complicating efforts to combat ransomware threats. Understanding these connections is vital for developing comprehensive defensive strategies, as it highlights the need for coordinated responses and advanced threat intelligence to anticipate and mitigate such sophisticated attacks.
Global Impact and Affected Regions
The extensive geographical impact of these vulnerabilities, particularly in India and the U.S., underscores the widespread nature of the threat. Despite significant patching efforts, tens of thousands of systems remain vulnerable, necessitating continuous vigilance and proactive measures to protect against such sophisticated ransomware attacks. Data from ShadowServer indicates a high number of unpatched, internet-exposed firewalls in these regions, with 4,631 identified cases in India and 3,863 in the U.S. by early 2025.
Encouragingly, remedial actions have shown progress, with reports from January indicating nearly 50,000 vulnerable Fortinet users worldwide have taken steps to address the issues. However, the persistent nature of the vulnerabilities and the advanced techniques employed by Mora_001 necessitate ongoing vigilance. Organizations must prioritize timely updates and robust security practices to mitigate risks. The global impact of these vulnerabilities illustrates the interconnected nature of cybersecurity threats, emphasizing the importance of collaborative efforts and shared intelligence to protect critical infrastructure and sensitive data from evolving ransomware tactics.
Recommendations and Defensive Measures
Prompt Patching and Account Audits
Experts advocate for strict adherence to several security practices to mitigate such threats and prevent future intrusions. Key recommendations include prompt patching of disclosed vulnerabilities, auditing of admin accounts for anomalies indicative of any rogue intrusions, and deactivation of external management access to firewalls. Regular patching is crucial, ensuring that systems are protected against known exploits employed by threat actors. Admin account audits help detect and remove unauthorized accounts created by attackers to secure their persistence.
By maintaining a robust patch management strategy and continuously monitoring account activities, organizations can minimize the risk of unauthorized access and control. Network administrators are urged to ensure robust restrictions on VPN access and active monitoring of firewall configurations and logs. Advanced monitoring solutions can detect and respond to suspicious activities promptly, enhancing the overall security posture. Employing comprehensive security practices and leveraging threat intelligence are essential steps in safeguarding against sophisticated ransomware threats like those posed by Mora_001.
Enhanced VPN Security and Monitoring
Furthermore, network administrators are urged to ensure robust restrictions on VPN access and to maintain active monitoring of firewall configurations and logs. VPN security measures must include stringent access controls and continuous monitoring to detect and respond to unauthorized access attempts. Implementing multi-factor authentication (MFA) for VPN connections adds an additional layer of security, making it more challenging for attackers to exploit VPN access.
Continuous log analysis and configuration audits are vital for identifying suspicious activities and potential misconfigurations that could be leveraged by attackers. Advanced security solutions can help automate these processes, simplifying the detection and response to threats. Organizations must adopt a proactive approach, regularly reviewing and updating their security policies and practices to address emerging vulnerabilities and evolving attack techniques. By enhancing VPN security measures and maintaining vigilant monitoring, businesses can significantly reduce the risk of sophisticated ransomware attacks and ensure the integrity of their network environments.
Conclusion
A new ransomware group has been discovered by Forescout researchers, and they’ve named it Mora_001. This cyber gang has been making headlines recently due to their targeted attacks on Fortinet firewalls. Fortinet, being a widely used security solution by enterprises globally, has become a lucrative target for these criminals. Mora_001 has managed to exploit specific vulnerabilities in Fortinet’s systems, leading to unauthorized access. Once inside the firewall, they deploy a new variant of ransomware, which encrypts sensitive data and demands a ransom for its release. This latest development poses a significant risk to organizations worldwide, as the attacks can disrupt operations, lead to data loss, and incur substantial financial costs. Cybersecurity experts are advising firms using Fortinet firewalls to apply all available security patches and be vigilant for suspicious activity. As ransomware attacks continue to evolve, it underscores the importance of constant vigilance and robust cybersecurity measures to protect organizational data and maintain the integrity of their systems.
