CyberSecurity news

FlagThis - #fortinet

Bill Toulas@BleepingComputer //

SuperBlack Ransomware Exploits Fortinet Authentication Bypass Flaws - A new ransomware operator, Mora_001, is exploiting Fortinet vulnerabilities to deploy the SuperBlack ransomware.
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.

The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.

Recommended read:
References :
  • The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
  • BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
  • Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
  • The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
  • securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • www.csoonline.com: Researchers tracked the exploits back to late November/early December last year.
  • techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
  • Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
  • Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
  • gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
  • securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
  • cyble.com: CISA Alerts Users of CVE-2025-24472
  • securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
  • www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
  • : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
  • chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25
@securityonline.info //

Coyote Malware Expands Reach Targeting Windows Systems - The Coyote Banking Trojan targets Microsoft Windows users, distributed via malicious LNK files executing PowerShell commands to harvest sensitive information and bypass sandbox discovery, now targeting 1,030 sites and 73 financial institutions.
Fortinet's FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan. This sophisticated malware, targeting Microsoft Windows users, has expanded its reach to include 1,030 websites and 73 financial institutions. The malware is distributed through malicious LNK files that execute PowerShell commands, initiating a multi-stage attack. The primary goal is to harvest sensitive data, including system details and lists of installed antivirus products.

The attack sequence begins with a LNK file executing a PowerShell command to retrieve a next-stage PowerShell script, launching the trojan. Once deployed, the trojan gathers system information and evades detection by security measures. Should a victim attempt to access a targeted site, the malware communicates with a command-and-control server, enabling actions like capturing screenshots or displaying phishing overlays to steal sensitive credentials, impacting financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users.
  • www.scworld.com: Updated Coyote malware facilitates more extensive compromise
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • The Hacker News: Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions
  • securityonline.info: SecurityOnline article about the multi-stage Coyote banking trojan targeting Brazil.
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
@PCWorld //

New Snake Keylogger Variant Launches Mass Attacks - A new variant of Snake Keylogger is launching over 280 million attacks, primarily impacting users in China, Turkey, Indonesia, Taiwan, and Spain, stealing credentials from browsers like Chrome and exfiltrating data via Telegram Bots.
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.

The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder.

Recommended read:
References :
  • CyberInsider: New Snake Keylogger Variant Launches 280 Million Attacks
  • hackread.com: New Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots
  • cyberinsider.com: New Snake Keylogger Variant Launches 280 Million Attacks
  • The Register - Software: Snake Keylogger slithers into Windows, evades detection with AutoIt-compiled payload
  • Talkback Resources: Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots [net] [mal]
  • The Hacker News: New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection
  • PCWorld: This high-risk keylogger malware is a growing threat to Windows users
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
  • www.scworld.com: More advanced Snake Keylogger variant emerges
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
@securityonline.info //

Coyote Trojan Targets Brazilian Financial Application Users - The Coyote Banking Trojan targets Brazilian users by stealing data from over 70 financial applications and websites using malicious LNK files and PowerShell scripts.
The Coyote Banking Trojan is actively targeting financial institutions and online banking users in Brazil, stealing data from over 70 financial applications and websites. Cybersecurity researchers at FortiGuard Labs have uncovered this stealthy and highly sophisticated banking trojan which leverages malicious LNK files and PowerShell scripts to infiltrate Windows systems, deploy payloads, and steal sensitive banking credentials. The attack begins with a weaponized LNK file that executes a hidden PowerShell command, connecting to a remote server and downloading additional malicious scripts, initiating the next stage of the attack.

The Trojan can keylog user activity, capture screenshots, display phishing overlays, and even manipulate browser windows to steal financial data. It collects system information such as the machine ID, MAC address, Windows version, and installed security software, sending these details to remote command-and-control servers. The final payload includes the main Coyote Banking Trojan, which expands its target list to over 1,000 websites and 73 financial agents. Accessing any of the targeted sites could trigger further malicious activity, enhancing the threat to financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
Stefan Hostetler, Julian Tuin, Trevor Daher, Jon Grimm, Alyssa Newbury, Joe Wedderspoon, and Markus @Arctic Wolf //

Fortinet Firewall Configs Leaked From Zero Day - A hacking group leaked configuration files and VPN credentials for over 15,000 FortiGate devices, exposing sensitive information.
References: ciso2ciso.com , Kevin Beaumont , ...
A new hacking group, known as Belsen Group, has leaked configuration files and VPN credentials for over 15,000 FortiGate firewall devices. The data, which includes full configuration dumps, device management certificates and even some plain text passwords, was made freely available on the dark web. Security researcher Kevin Beaumont first brought the issue to light, later confirmed by CloudSEK, and noted the vulnerability primarily affected Fortigate 7.0.x and 7.2.x devices.

The Belsen Group is believed to have been active since 2022, despite only recently appearing on social media and cybercrime forums. The leaked data was likely collected using a zero-day exploit in 2022, specifically CVE-2022-40684, and has only been released in January 2025. This means even organizations that have since patched may still be vulnerable if their configurations were captured by Belsen Group in 2022. The exposure of the data, which includes firewall rules, poses a significant security risk to affected organizations.

Recommended read:
References :
  • ciso2ciso.com: Ciso2Ciso news about new hacking group leaks configuration of 15,000 Fortinet Firewalls.
  • Kevin Beaumont: Cyberplace.Social post by GossiTheDog about Fortigate config data leak.
  • www.bleepingcomputer.com: BleepingComputer Article about hackers leak configs and VPN credentials for 15,000 FortiGate devices.
  • : RT @S0ufi4n3: “2022 zero day was used to raid Fortigate firewall configs. Somebody just released them.“
  • www.theregister.com: 15,000 FortiGate Firewall Configurations Leaked by Belsen Group

Blogs

Research Tools