Security researchers have sounded the alarm after discovering that hackers linked to the notorious LockBit gang have been exploiting a pair of Fortinet firewall vulnerabilities to deploy ransomware on several company networks. The vulnerabilities, tracked as CVE-2024-55591 and CVE-2025-24472, were patched by Fortinet in January, but it appears that not all customers have applied the fixes, leaving them vulnerable to attack.

According to a report published by Forescout Research, a group dubbed "Mora_001" has been exploiting the Fortinet firewalls, which sit on the edge of a company's network and act as digital gatekeepers, to break in and deploy a custom ransomware strain known as "SuperBlack." The researchers have investigated three events in different companies, but they believe there could be others.

In one confirmed intrusion, Forescout observed the attacker "selectively" encrypting file servers containing sensitive data. The encryption was initiated only after data exfiltration, aligning with recent trends among ransomware operators who prioritize data theft over pure disruption. This approach suggests that the attackers are motivated by financial gain rather than simply causing chaos.

Forescout's analysis reveals that the Mora_001 threat actor "exhibits a distinct operational signature," which has "close ties" to the LockBit ransomware gang. The SuperBlack ransomware is based on the leaked builder behind the malware used in LockBit 3.0 attacks, while a ransom note used by Mora_001 includes the same messaging address used by LockBit. This connection could indicate that Mora_001 is either a current affiliate with unique operational methods or an associate group sharing communication channels.

Stefan Hostetler, head of threat intelligence at cybersecurity firm Arctic Wolf, notes that Forescout's findings suggest hackers are "going after the remaining organizations who were unable to apply the patch or harden their firewall configurations when the vulnerability was originally disclosed." This highlights the importance of timely patching and robust security measures to prevent such attacks.

The ransom note used in these attacks bears similarities to that of other groups, such as the now-defunct ALPHV/BlackCat ransomware gang. This could indicate that Mora_001 is drawing inspiration from other ransomware operators or sharing resources with them.

Fortinet did not respond to requests for comment on the matter. The company's silence is concerning, given the severity of the vulnerabilities and the potential impact on its customers. As the cybersecurity landscape continues to evolve, it is essential for vendors to be transparent about vulnerabilities and take proactive steps to protect their users.

The exploitation of Fortinet firewall vulnerabilities by LockBit-linked hackers serves as a stark reminder of the importance of robust security measures and timely patching. As ransomware attacks continue to rise, companies must remain vigilant and take proactive steps to protect themselves from these types of threats.