216.73.217.50

New Ransomware Operator Exploits Fortinet Vulnerability Duo

· Published 14/03/2025 19:18 · Modified 14/03/2025 19:33

Export JSON

Essential information

Published
14/03/2025 19:18
Modified
14/03/2025 19:33
Tags
2025-03-14 CVE-2024-55591 CVE-2025-24472 data exfiltration firewall fortinet lateral movement lockbit ransomware superblack wipeblack
Related entities
23 observables, 1 intrusion sets (apt), 17 techniques (mitre), 2 malware, 8 others

Description

A new operator, dubbed Mora_001, has been exploiting vulnerabilities and to gain unauthorized access and deploy a modified version of . The threat actor creates persistent admin accounts, exfiltrates configurations, and uses VPN access for . They selectively target file servers for encryption after data theft. The , named , uses 's infrastructure but removes branding. The actor employs a custom VPN brute-forcing tool and leaves ransom notes linking to 's Tox chat ID. This campaign highlights the increasing trend of exploiting perimeter security appliances and the evolving landscape.

External references