Fortinet(FTNT) TechCrunch·2025-03-17 15:58Core Insights - Hackers linked to the LockBit gang are exploiting vulnerabilities in Fortinet firewalls to deploy a custom ransomware strain named "SuperBlack" [1][3] - Two vulnerabilities, CVE-2024-55591 and CVE-2025-24472, have been identified as being exploited since December 2024, with patches released by Fortinet in January [1][5] - The Mora_001 threat actor shows operational ties to the LockBit gang, indicating a potential affiliate relationship or shared communication channels [3][4] Vulnerabilities and Exploitation - The first vulnerability, CVE-2024-55591, has been actively exploited in cyberattacks against Fortinet customers since December 2024 [1] - The second vulnerability, CVE-2025-24472, is also being targeted by the Mora_001 group [1] - Forescout has investigated multiple incidents, confirming selective encryption of sensitive data after data exfiltration [2] Ransomware Characteristics - The SuperBlack ransomware is based on the leaked builder from LockBit 3.0 attacks, and the ransom note used by Mora_001 shares the same messaging address as LockBit [3] - The operational signature of Mora_001 suggests a distinct methodology that aligns with recent trends in ransomware attacks, focusing on data theft [2][3] Industry Response - Cybersecurity experts indicate that the ongoing exploitation of these vulnerabilities targets organizations that failed to apply patches or secure their firewall configurations [5] - Fortinet has not provided comments regarding the ongoing situation or the vulnerabilities [6]