Operators responsible for the SuperBlack ransomware attacks have been found to exploit two vulnerabilities in Fortinet firewalls, as reported between January and March by researchers at Forescout Research – Vedere Labs. The threat actors, identified as the “Mora_001” group, have been carrying out these attacks with a sophistication that suggests a potential affiliation with the LockBit ecosystem.
The unique operational signature exhibited by Mora_001, along with the use of Russian-language artifacts, has led experts to speculate about the group’s connection to the LockBit ransomware operations. Despite using leaked LockBit builder tools to create encryption software – known in this case as the SuperBlack ransomware – Mora_001 has taken measures to remove any branding associated with LockBit from their attacks.
While the group is independently tracked, its post-exploitation tactics, such as consistent use of usernames and IP addresses across different victims, indicate a structured playbook that enables rapid ransomware deployment within just 48 hours. Furthermore, the ransom note used by Mora_001 shares a TOX ID with LockBit, suggesting a possible affiliation, although the group’s distinct operational patterns set it apart as a separate entity capable of carrying out independent intrusions.
The vulnerabilities CVE-2024-55591 and CVE-2025-24472 in FortiOS and FortiProxy were the entry points exploited by Mora_001 to gain super-admin access on vulnerable Fortinet appliances. These vulnerabilities allowed unauthenticated attackers to obtain super_admin privileges on devices running FortiOS versions below 7.0.16 with exposed management interfaces. The quick weaponization of these vulnerabilities was demonstrated by Mora_001 following the release of a proof-of-concept exploit on January 27.
The attackers employed two distinct methods to exploit the vulnerabilities. One method involved exploiting the WebSocket vulnerability via the jsconsole interface, while the other utilized direct HTTPS requests targeting the same underlying vulnerability. Mora_001 used both default and slightly modified versions of the PoC exploit, tweaking usernames and IP addresses to evade detection.
In their attacks, Mora_001 targeted high-value assets like servers and domain controllers, leveraging tools like WMIC for discovery and SSH for access before deploying ransomware post-data exfiltration. The SuperBlack ransomware, a variant of LockBit 3.0, incorporates a wiper component known as WipeBlack, which erases traces of the ransomware post-encryption.
The use of the WipeBlack wiper component has been observed in previous ransomware incidents linked to the LockBit and BrainCipher ransomware groups, with connections to other ransomware operations like SenSayQ, EstateRansomware, and RebornRansomware. The wiper component’s association with the leaked LockBit builder further supports its ties to LockBit-linked ransomware activities, as it is designed to remove evidence of the ransom executable after encryption.
Overall, the SuperBlack ransomware attacks orchestrated by the Mora_001 group highlight the evolving tactics and techniques employed by threat actors in the ransomware landscape. As cybersecurity experts continue to monitor and respond to these threats, it is crucial for organizations to proactively address vulnerabilities in their systems to prevent falling victim to such devastating attacks.