Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities between late January and early March. The attacks started with the compromise of Fortigate firewall appliances and ultimately led to the deployment of a newly discovered ransomware strain, which has been named SuperBlack. The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black).
“The primary differences lie in the ransom note left after encryption and a custom data exfiltration executable,” Sai Molige and researchers from Vedere Labs wrote in a Wednesday blog post. “Due to these modifications, we have designated this variant ‘SuperBlack.’ We attribute these intrusions to a threat actor we are tracking as ‘Mora_001’ which follows our naming convention of using mythology from different regions.”
In this case, the post added, “We’re using Slavic mythology since the actor uses artifacts in Russian. This actor exhibits a distinct operational signature that blends elements of opportunistic attacks with ties to the LockBit ecosystem.”
Furthermore, Mora_001’s relationship to the broader Lockbit’s ransomware operations underscores the increased complexity of the modern ransomware landscape, where specialized teams collaborate to leverage complementary capabilities. “We recently highlighted this trend in our research on zero-day exploits targeting DrayTek routers.”
The latest Forescout report details Mora_001’s tactics, techniques, and procedures (TTPs), along with recommended detection and mitigation strategies. “We will continue monitoring this actor and refining our assessment as we develop our understanding of their relationship to Lockbit.”
Forescout is tracking Mora_001 as an independent threat actor while recognizing its ties to established ransomware operations based on a couple of factors. These include consistent post-exploitation patterns across the incidents investigated, including creation of identical usernames across multiple victim networks; overlapping IP addresses used for initial access, post-exploitation, and command-and-control (C2) operations; similar configuration backup behaviors in compromised environments; and rapid ransomware deployment within 48 hours when conditions are favorable, with extended reconnaissance in environments with stricter security controls.
It also identified SuperBlack ransomware customization, wherein the actor leveraged the leaked LockBit builder, modifying the ransom note structure by removing LockBit branding and employing their exfiltration tool. Lastly, the researchers listed Mora_001 relationship to LockBit since the ransom note includes the same TOX ID used by LockBit, suggesting a potential link to the infamous ransomware gang. This connection could indicate that Mora_001 is either a current affiliate with unique operational methods or an associate group sharing communication channels.
“The post-exploitation patterns observed enabled us to define a unique operational signature that sets Mora_001 apart from other ransomware operators, including LockBit affiliates,” the researchers added. “This consistent operational framework suggests a distinct threat actor with a structured playbook, rather than multiple operators following a generalized LockBit methodology. By analyzing the intrusion timeline, overlapping indicators, and operational patterns, we can confidently attribute future intrusions to this entity – independent of its exact relationship to LockBit.”
The investigation identified intrusions across multiple environments, traced back to the exploitation of Fortinet firewall vulnerabilities. They also presented near-complete firewall logs, which were instrumental in reconstructing these attack sequences. To protect affected organizations still undergoing remediation, dates, timestamps, and other sensitive details have been redacted.
“CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain ‘super_admin’ privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces,” the post identified.
A proof-of-concept (PoC) exploit was publicly released on January 27, and within 96 hours. Forescout observed active exploitation in the wild using two distinct methods. jsconsole, where direct exploitation of the WebSocket vulnerability occurs via the jsconsole interface. In logs, this activity appears as jsconsole(IP), with the IP address often spoofed as 127.0.0.1, 13.73.13.73, 8.8.8.8, 1.1.1.1, or other recognizable addresses; and HTTPS, where alternative exploitation method using direct HTTPS requests. While this method appears differently in logs, it targets the same underlying vulnerability.
The researchers noted, “We observed instances where the threat actor leveraged the default PoC exploit as well as slightly modified variants where only minor changes – such as altered usernames and IP addresses – were introduced.”
“When the firewall had VPN capabilities, the threat actor created local VPN user accounts with names resembling legitimate accounts but with an added digit at the end,” they added. “These newly created users were then added to the VPN user group, enabling future logins. This tactic was likely intended to evade detection during casual administrative reviews and to maintain persistent access even if the initial entry points were discovered. The actor then manually assigned a password to the newly created users.”
To identify potential paths for lateral movement, the SuperBlack threat actor leveraged built-in FortiGate dashboards to gather environmental intelligence beyond what was available in the previously downloaded configuration file.
The SuperBlack threat actor accessed FortiGate dashboards where the Status Dashboard displays system metrics and status indicators; Security Dashboard provides insights into threat detection, vulnerability assessments, and compromised hosts; and Network Dashboard shows routing details, DHCP status, SD-WAN performance, and VPN connections. Also, the Users & Devices Dashboard lists endpoint devices, FortiClient connections, user authentication, and quarantined devices, and the WiFi Dashboard monitors wireless networks, access points, client connections, and wireless security alerts.
Using firewall configurations, dashboard insights, and established network access (via VPN or direct authentication), the SuperBlack attackers moved laterally within the network, prioritizing high-value targets, including file servers, authentication servers and domain controllers, database servers, and other network infrastructure devices.
The actor primarily relied on Windows Management Instrumentation (WMIC) for remote system discovery and execution and SSH to access additional systems, particularly servers and network devices. In one confirmed case, the attacker focused on identifying and compromising file servers, which became primary targets for data exfiltration and ransomware deployment. Instead of encrypting the entire network, the attacker selectively encrypted file servers containing sensitive data. The encryption was initiated only after data exfiltration, aligning with recent trends among ransomware operators who prioritize data theft over pure disruption.
“The intrusions we investigated highlight the increasing trend of exploiting perimeter security appliances for initial access,” the researchers added. “The rapid transition from vulnerability disclosure to active exploitation significantly narrows the window for organizations to apply critical updates.”
To mitigate these SuperBlack threats, organizations must adopt a ‘defense in depth’ approach by properly segmenting networks and implementing layered security controls that can limit attackers’ ability to achieve their objectives.
As of this writing, the highest number of exposed FortiGate firewalls are in the United States (7677), India (5536), and Brazil (3201).
Forescout recommends that FortiGate users patch vulnerable systems and apply FortiOS updates addressing CVE-2024-55591 and CVE-2025-24472 immediately. They must restrict management access by disabling external management access to firewalls whenever possible, audit administrator accounts by reviewing administrator accounts and removing any unauthorized or unexpected users, and examine automation settings by checking for unauthorized automation tasks, particularly those set to run daily or during off-hours.
Furthermore, users must review VPN users by auditing all VPN users and groups for slight variations of legitimate usernames or recently created accounts without clear business justification. They must also enable comprehensive logging: A common gap in investigations is the lack of comprehensive logging. Ensure the following are enabled: CLI audit logs on FortiGate, HTTP/S traffic logs to/from firewalls, Network Policy Server (NPS) auditing for authentication events, and Authentication system auditing set to record both successes and failures (rather than just failures). Comprehensive logging enhances detection, investigation, and proactive threat hunting.
Forescout recently reported on a campaign by the Chinese threat actor Silver Fox, which exploited Philips DICOM viewers to deploy a backdoor trojan. This finding stemmed from a threat hunt for malicious software on VirusTotal. The follow-up analysis elaborates on the search methodology, utilizing eyeInspect’s and REM’s default credentials list and a database of popular medical software to identify malware that masquerades as legitimate healthcare applications, exploits medical system credentials, and interacts with medical devices through protocols like DICOM and HL7.
