Fortinet Firewalls Under Siege: Ransomware Attacks Surge A new wave of ransomware attacks is targeting Fortinet firewalls, exploiting vulnerabilities to spread a custom ransomware strain called SuperBlack. This ransomware is linked to the notorious LockBit group, known for its sophisticated attacks on businesses and organizations. The attackers, identified as Mora_001, are using two specific vulnerabilities: CVE-2024-55591 and CVE-2025-24472, which allow them to bypass authentication and gain super-admin access to Fortinet devices[1][2][3]. Once inside, Mora_001 creates additional admin accounts to maintain persistence and uses tools like SSH to access high-value targets such as file servers and domain controllers. The SuperBlack ransomware encrypts sensitive data, forcing victims to either restore from backups or pay a ransom[2][4]. The attackers also use a wiper tool to remove evidence of the ransomware after encryption[4]. The use of these vulnerabilities highlights the importance of keeping software up-to-date. Fortinet disclosed CVE-2024-55591 in January 2025, warning of its active exploitation, and later added CVE-2025-24472 to its advisory[3][5]. Despite these warnings, many Fortinet users remain unpatched, leaving them vulnerable to such attacks[3]. For organizations to protect themselves, regular backups and software updates are essential. Backups should be stored separately from operational networks to ensure they remain safe during an attack. Additionally, auditing admin accounts and disabling external management access can help prevent unauthorized access[1][3]. In conclusion, the exploitation of Fortinet vulnerabilities by Mora_001 underscores the evolving threat landscape in cybersecurity. As ransomware groups continue to adapt and exploit new vulnerabilities, staying vigilant and proactive in security practices is crucial for businesses and individuals alike.
