CyberSecurity news
Bill Toulas@BleepingComputer
//
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.
The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.
ImgSrc: www.bleepstatic
References :
- The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
- BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
- Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
- The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
- www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
- Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
- securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
- www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
- www.csoonline.com: Researchers tracked the exploits back to late November/early December last year.
- techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
- Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
- Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
- gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
- securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
- cyble.com: CISA Alerts Users of CVE-2025-24472
- securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
- www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
- : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
- chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25
Classification:
- HashTags: #SuperBlack #Ransomware #Fortinet
- Company: Fortinet
- Target: Fortinet Users
- Attacker: Mora_001
- Product: Fortinet
- Feature: authentication bypass
- Malware: SuperBlack
- Type: Ransomware
- Severity: Major