New Superblack Ransomware operates bypass flaws Fortinet Auth

The new redemption software operator called “Mora_001” uses two Fortinet vulnerability to obtain unauthorized access to Brandmauer’s devices and deploy special deformation of buying software called Superblack.

Two vulnerability, both detours of authentication, is CV-2014-5591 and Cve-2015-24472, which Fortinet opened in January and February, respectively.

When Fortinet first revealed CV-2014-55591 on January 14, they confirmed that it was Used as a zero daywith the Arctic Wolf who stated that it was Used in attacks since November 2024 Disrupt Fortigate BrandMauers.

Confused, February 11 Fortinet added Cve-2015-2447 Januarywhich made many believe that it was a recently used disadvantage. However Fortinet reported BleepingCompout that this error was also corrected in January 2024 and was not used.

“We do not know that Cve-2015-24472 has never been exploited,” Fortinet said at that time BleepingComputer.

However, a new report Transmission researchersShe says they found Superblack attacks at the end of January 2025, when the threat actor uses CV-2012-24472 as early as February 2, 2025.

“Although Forkout himself did not report the operation of 24472 Fortinet, since one of the injured organizations with which we worked is the division of the conclusions of our investigation with the Psirtinet team,” said Forkout BleepingComp.

“Soon Fortinet updated their consultation on February 11 to recognize CV-2015-24472 as actively exploited.”

BleepingCompout contacted Fortinet to clarify that point but we are still waiting for the answer.

Superblack Ransomware attack

Forescout says the Mora_001 redemption operator monitors a highly structured attack chain that does not differ much in casualties.

First, the attacker receives “Super_admin” privileges, using two Fortinet disadvantages using WebSocket-based attacks via JSConsole interface or sending HTTPS direct requests to open firewall interfaces.

They then create new administrator accounts (Forticloud-Tech, Fortigate-Firewall, Adnimistrator) and change the automation task to reproduce them if deleted.

The attacker then displays the network and tries to cross with the stolen VPN credentials and recently added VPN accounts, Windows (WMIC) and SSH control devices, as well as TACACS+/Radius authentication.

Mora_001 steals data using a special tool before sewing files for double solicitation, priority file servers and databases and domain databases.

After the encryption process, the victims discard the banknotes. Then a wiper-based wiper is deployed called “Wipeblack” to delete all the traces of the redemption software file to interfere with forensic analysis.

Superblack’s link on Lockbit

FrosTescout has found widespread evidence that indicates strong links between Superblack Ransomware and Lockbit Ransomware, although the first, it seems, operate independently.

The first item is that Superblack Encryptor (Virtotal) is based on 3.0 -under the impregnated Lockbit Builder, which contains the same payload structure and encryption methods, but all this will be striped original branding.

Secondly, the Superblack redemption note includes a Tox chat identifier associated with Lockbit operations, assuming that Mora_001 is either a former Lockbit partnership or a former member of its main team, which manages payments and negotiations.

The third element that offers the link is a wide IP address overlapping with previous Lockbit operations. Wipeblack is also used using the BrainCiper, Estateransomware and Sensayq Ransomware, all tied to Lockbit.

Fruseesut shared a wide list of compromise (IOCs) associated with Superblack Ransomware at the bottom of his report.