Fortinet Firewall Exploited: Ransomware Attacks Surge

LockBit Hackers Exploit Fortinet Firewall Weaknesses

Cybersecurity experts have detected malicious actors associated with the LockBit ransomware group leveraging a pair of security flaws within Fortinet firewalls. These vulnerabilities are being used to deploy ransomware across multiple corporate networks.

Fortinet Vulnerabilities Exploited

Researchers at Forescout Research, in a report released last week, identified a threat actor, designated “Mora_001,” actively exploiting Fortinet firewalls. These firewalls function as crucial security barriers at the perimeter of an organization’s network.

The first vulnerability, cataloged as CVE-2024-55591, has been actively exploited in attacks targeting Fortinet customers since December 2024. Forescout also reports that a second flaw, CVE-2025-24472, is currently being utilized by Mora_001 in their attacks.

Fortinet promptly released security updates addressing both vulnerabilities in January. However, exploitation continues.

Ransomware Deployment: SuperBlack

Sai Molige, a senior manager of threat hunting at Forescout, stated that the cybersecurity firm has investigated three separate incidents across different companies. It is believed that additional organizations may have been affected.

During one confirmed breach, attackers were observed selectively encrypting file servers that housed sensitive data. This encryption process only commenced after data was successfully exfiltrated.

“This behavior aligns with current trends among ransomware operators, who now prioritize data theft before causing disruption,” Molige explained.

Connection to LockBit Ransomware Gang

Forescout indicates that the Mora_001 threat actor demonstrates a unique operational pattern. This pattern exhibits “close ties” to the LockBit ransomware gang, which experienced disruption by U.S. law enforcement last year.

The SuperBlack ransomware utilized in these attacks is built upon the leaked code from the LockBit 3.0 malware. Furthermore, the ransom note employed by Mora_001 contains the same communication address used by LockBit.

“This suggests that Mora_001 may be a current affiliate operating with distinct methods, or a related group sharing communication infrastructure,” Molige noted.

Ongoing Exploitation and Patching Concerns

Stefan Hostetler, head of threat intelligence at Arctic Wolf, previously observed exploitation of CVE-2024-55591. He suggests that these recent findings indicate attackers are targeting organizations that have not yet applied the available patch or adequately secured their firewall configurations.

Hostetler also points out similarities between the ransom note used in these attacks and those associated with other ransomware groups, including the now-inactive ALPHV/BlackCat.

Fortinet has not yet responded to inquiries from TechCrunch regarding this matter.

Key Takeaways

• LockBit-affiliated hackers are exploiting Fortinet firewall vulnerabilities.
• The SuperBlack ransomware is being deployed after data exfiltration.
• Organizations are urged to promptly apply security patches and harden firewall configurations.