Security experts have identified a surge in cyberattacks targeting unprotected Fortinet firewalls, with hackers leveraging two critical vulnerabilities to infiltrate corporate networks and deploy ransomware payloads. Researchers attribute these incidents to a group known as Mora_001, which demonstrates strong technical overlaps with the infamous LockBit ransomware operation.
The attackers exploit CVE-2024-55591 and CVE-2025-24472 – both patched by Fortinet in January 2025 – to bypass security controls on internet-facing firewalls. Once inside networks, adversaries conduct careful reconnaissance before exfiltrating sensitive data and executing the “SuperBlack” ransomware, which shares code fingerprints with tools from the LockBit 3.0 arsenal.
- Selective encryption of high-value file servers after data theft
- Mix of manual and automated network exploitation techniques
- Ransom notes containing LockBit-associated contact information
Cybersecurity firm Forescout has documented three confirmed breaches involving this attack chain, with evidence suggesting broader undetected campaigns. “The attackers prioritize data exfiltration before triggering encryption, aligning with modern ransomware economics where stolen information enables double extortion,” explained a senior threat analyst familiar with the investigations.
Network defenders should:
- Immediately apply Fortinet’s security updates for firewall devices
- Review remote access configurations and disable unnecessary services
- Implement multi-factor authentication on all administrative interfaces
- Monitor network traffic for suspicious SSL-VPN activity patterns
While LockBit’s infrastructure suffered major law enforcement disruption in 2024, these new campaigns confirm that affiliated operators continue evolving their tactics. The reuse of LockBit’s ransomware infrastructure components suggests either direct collaboration between groups or shared access to leaked cybercrime tools.
“Organizations patching delays create ideal attack surfaces. Cybercriminals systematically target firewall vulnerabilities because compromising these perimeter defenses provides deep network access.”
Enterprise Security Specialist
