Hackers operate bugs on Fortinet’s firewall to plant ransom

Security researchers have observed hackers related to the famous Lockbit gang using a pair of vulnerabilities of Fortinet’s firewall to expand ransom in several corporate networks.

In Report published last weekForeScout Research security researchers said a group that tracks the called “Mora_001” uses Fortinet’s firewalls that sit on the edge of the company network and act as digital goalkeepers to enter and implement a personalized prime.

One of the vulnerabilities tracked as Cve-2024-55591has been operated in cyberattacks to Violate Fortinet’s Corporate Networks Since December 2024, ForeScout has been saying a second mistake tracked as Cve-2025-24472It is also operated by Mora_001 in attacks. Fortinet released patches for both mistakes in January.

Sai Moligue, a senior threat hunting manager at Forescout, told TechCrunch that the cybersecurity company has “investigated three events in different companies, but we believe there may be others.”

In a confirmed penetration, ForeScout said he had observed the attacking “selective” encryption files containing sensitive data.

“Encryption is initiated only after data exfiltration, aligning the latest trends among ransom operators that give priority to the theft of data in a clean interruption,” Molig said.

ForeScout says the participant in the threat Mora_001 “exhibits an excellent operational signature” that the company says which was interrupted last year by US authoritiesS Molige said Superblack Ransomware is based on the leaking builder behind the malware used in Lockbit 3.0 attacks, while the ransom note used by Mora_001 includes the same messaging address used by Lockbit.

“This connection may indicate that Mora_001 is either an up -to -date branch with unique operational methods or associated communication groups,” Moligge said.

Stefan Hosteller, Head of Threat Intelligence at the Cybersecurity Company Arctic Wolf, which Previously observed operation of CVE-2024-55591He tells TechCrunch that ForeScout’s findings suggest that hackers “continue after other organizations that have not been able to apply the patch or to reinforce their configurations on the firewall when the vulnerability was originally revealed.”

Hostetler says the ransom note used in these attacks brings resemblance to that of other groups, Like the already existing Alphv/Blackcat Ransomware gangS

Fortinet did not answer TechCrunch questions.