Specialists at Forescout have revealed a new extortion scheme dubbed mora_001 that exploits two critical vulnerabilities in Fortinet products for unauthorized access to internal screens and the subsequent deployment of custom encryption tool Superblack.
The two vulnerabilities associated with bypassing authentication are designated as CVE-2024-55591 (CVSS: 9.8) and CVE-2025-24472 (CVSS: 8.1). Fortinet disclosed these vulnerabilities in January and February. While CVE-2024-55591 was initially identified as Zero-Day in November 2024, there was some uncertainty surrounding CVE-2025-24472. Despite Fortinet initially denying the existence of this vulnerability, they later confirmed its active exploitation.
Forescout discovered Superblack attacks at the end of January 2025 and found that hackers had been using CVE-2025-24472 since February 2, 2025. Although Forescout did not directly report these findings to Fortinet, the investigation results were passed on to the company’s PSIRT through an affected organization. Fortinet subsequently updated their advisory to acknowledge the vulnerability.
The Superblack attacks follow a structured pattern. Hackers first gain Super_admin privileges through WebSocket attacks via JSCONSOLE or by sending HTTPs requests to internal screens interfaces. They then create new administrator accounts with names like Forticloud-Tech, Fortigate-Firewall, and Administrator, while also modifying automated tasks to ensure these accounts are re-created if deleted.
After infiltrating the system, attackers scan the network and use compromised VPN, WMI, SSH, and Tacacs+/Radius accounts to move through the infrastructure. Before encrypting the data, they exfiltrate it for double extortion purposes. The main targets of these attacks are file servers, databases, and domain controllers.
Once encryption is complete, victims receive ransom notes demanding payment. The attackers then utilize the wipBlack tool to remove any traces of their activities, making it challenging to analyze the incident.
Forescout identified several indicators linking Superblack to Lockbit:
- The Superblack code is derived from Lockbit 3.0, maintaining the payload structure and encryption methods but without the original branding.
- The TOX