Fortinet firewall bugs are being targeted by LockBit ransomware hackers

(Image credit: Pixabay)

Security pros spot a new LockBit variant in the wild
A potential affiliate abused two Fortinet flaws to deploy the encryptor
There are multiple overlaps with LockBit 3.0

LockBit affiliates are using vulnerable Fortinet endpoints to target businesses with an updated ransomware strain, experts have warned.

Cybersecurity researchers at Forescout found the threat actor is using two vulnerabilities in Fortinet firewalls, tracked as CVE-2024-55591, and CVE-2025-24472, to deploy an updated ransomware strain named SuperBlack.

Both vulnerabilities had been used in the past before, and both were patched in January 2025 - so the best way to defend against the attacks is to make sure your Fortinet firewalls are up to date.

At least three victims

Forescout named the group running the attacks “Mora_001”. Since there are some overlaps in its tactics, techniques, and procedures (TTP) with LockBit, the researchers believe the group could be a LockBit affiliate.

Apparently, SuperBlack is based on the builder that was used in LockBit 3.0 attacks, and which leaked in the past. Furthermore, the ransom note in both LockBit and Mora_001 attacks uses the same messaging address.

Speaking to TechCrunch, senior manager of threat hunting at Forescout, Sai Molige, said there were at least three confirmed cases, but added that “there could be others”.

LockBit was one of the most disruptive and influential ransomware groups around, however, in late February 2024, it was struck by the FBI, and it never fully recovered. The law enforcement seized its website, the data it held, and obtained “thousands” of decryption keys.

It also obtained information about its affiliates which, at the time, counted around 200 groups, and later urged the affiliates to come forward. In February this year, the bulletproof hosting service provider, allegedly used by LockBit, was sanctioned by the US and the UK.

LockBit took roughly a week to get back on its feet and resume operations, but it is possible that many of its affiliates pivoted to other groups, such as RansomHub or Medusa.

US, UK crack down on Russian bulletproof hosting service ZServers for LockBit partnership
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.