Mora_001 uses Fortinet flaws for SuperBlack ransomware

A new ransomware group called 'Mora_001' is using two Fortinet vulnerabilities to access firewall systems and deploy a ransomware called SuperBlack. The vulnerabilities, CVE-2024-55591 and CVE-2025-24472, were disclosed by Fortinet earlier this year. Fortinet initially reported CVE-2024-55591 as exploited since November 2024. However, they later clarified that CVE-2025-24472 had not been exploited until Forescout researchers identified SuperBlack attacks in January 2025, leading Fortinet to update their advisory. Forescout found that SuperBlack shares similarities with LockBit ransomware, including a common encryption method and links to LockBit's operations. The attacks involve gaining admin privileges, stealing data, and encrypting files, followed by deploying a wiper tool to erase evidence.