A new ransomware strain known as SuperBlack has emerged, targeting organizations by exploiting critical vulnerabilities in Fortinet’s security appliances. The cybercriminal behind this operation, identified as Mora_001, is leveraging authentication bypass flaws in Fortinet products to infiltrate networks, encrypt data, and potentially exfiltrate sensitive information.
If your organization relies on Fortinet for cybersecurity, this is a critical threat you need to address immediately.
How SuperBlack Ransomware Works
SuperBlack ransomware exploits two major authentication bypass vulnerabilities in Fortinet’s security infrastructure:
1. CVE-2024-55591
This vulnerability affects FortiOS and FortiProxy, allowing attackers to gain super-admin privileges without authentication. The exploit works by sending specially crafted WebSocket requests to the Node.js interface, bypassing standard security controls.
2. CVE-2025-24472
Another critical flaw, this vulnerability enables attackers to elevate privileges remotely, giving them unrestricted access to Fortinet devices.
Both of these vulnerabilities were exploited in the wild before Fortinet issued patches, making organizations that haven’t updated their systems vulnerable to attack.
SuperBlack Ransomware Attack Chain
SuperBlack follows a structured attack methodology, making it highly effective at compromising and encrypting target systems. Here’s how it works:
1. Initial Access
The attacker exploits the Fortinet vulnerabilities to gain admin access on affected devices.
2. Establishing Persistence
After gaining access, the attacker creates hidden admin accounts, such as:
forticloud-techfortigate-firewalladministrator
These accounts allow long-term access even after rebooting or patching.
3. Network Reconnaissance and Lateral Movement
Once inside, the attacker moves through the network, scanning for critical servers and databases. They use:
- Stolen VPN credentials
- SSH connections
- Remote administration tools
4. Data Exfiltration and Encryption
Before launching the ransomware, attackers steal sensitive data for additional leverage. Files are encrypted using AES-256 encryption, leaving victims locked out of their own systems.
5. Covering Tracks
To prevent forensic analysis, attackers use WipeBlack, a custom tool that deletes traces of the attack, making incident response more difficult.
Potential Links to LockBit Ransomware
Security researchers have discovered overlapping indicators between SuperBlack and the infamous LockBit ransomware group.
Possible Connections:
- Similar attack tactics: Both groups use fast encryption, lateral movement, and VPN exploits.
- Shared infrastructure: Some command-and-control (C2) servers match those used by LockBit.
- Ransom note similarities: SuperBlack ransom notes contain TOX IDs linked to LockBit.
While it’s unclear whether SuperBlack is a LockBit affiliate or a splinter group, the similarities suggest a high level of sophistication and shared cybercrime techniques.
How to Protect Your Organization
1. Apply Security Patches Immediately
Update your Fortinet devices to the latest firmware that addresses CVE-2024-55591 and CVE-2025-24472.
2. Restrict Administrative Access
Disable HTTP/HTTPS admin access on Fortinet devices or restrict it to trusted IP addresses only.
3. Monitor for Indicators of Compromise (IoCs)
Look for unusual activity, such as:
- New admin accounts appearing
- Unexplained VPN logins
- Unauthorized configuration changes
4. Enhance Network Segmentation
Prevent lateral movement by segmenting your network and limiting access between critical systems.
5. Conduct Regular Security Audits
Perform routine vulnerability assessments to detect and remediate security gaps before attackers exploit them.
Final Thoughts
The SuperBlack ransomware campaign is one of the most dangerous threats currently targeting organizations using Fortinet security appliances.
By taking immediate action—patching vulnerabilities, restricting admin access, and monitoring for suspicious activity—companies can significantly reduce the risk of a ransomware attack.
Don’t wait until it’s too late. If your organization uses Fortinet products, ensure you are fully patched and secured today.
