Topics
in vogue
AI
Amazon
Image Credits:Bryce Durbin / TechCrunch
Apps
Biotech & Health
Climate
Image Credits:Bryce Durbin / TechCrunch
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
game
Government & Policy
Hardware
layoff
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
Space
inauguration
TikTok
transit
Venture
More from TechCrunch
event
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
security measures researcher have find hack linked to the notorious LockBit gang exploiting a twain of Fortinet firewall exposure to deploy ransomware on several company net .
Ina account published last week , security research worker at Forescout Research said a group it ’s tracking dubbed “ Mora_001 ” is exploiting the Fortinet firewall , which sit on the edge of a company ’s mesh and act as digital gatekeepers , to break in in and deploy a custom ransomware strain they call “ SuperBlack . ”
One of the vulnerability , tracked asCVE-2024 - 55591 , has been overwork in cyberattacks tobreach the incarnate networks of Fortinet customerssince December 2024 . Forescout says a 2nd bug , tracked asCVE-2025 - 24472 , is also being tap by Mora_001 in attacks . Fortinet release patches for both bugs in January .
Sai Molige , aged manager of threat hunting at Forescout , told TechCrunch that the cybersecurity firm has “ investigated three events in different company , but we believe there could be others . ”
In one confirmed intrusion , Forescout said it keep the assaulter “ selectively ” encrypting file servers containing raw information .
“ The encryption was start only after data exfiltration , align with recent drift among ransomware operator who prioritize datum theft over pure hurly burly , ” aver Molige .
Forescout says the Mora_001 terror actor “ exhibits a discrete operational signature , ” which the business firm says has “ close tie ” to the LockBit ransomware work party , which was last year disrupted by U.S. authorities . Molige pronounce the SuperBlack ransomware is ground on the leaked detergent builder behind the malware used in LockBit 3.0 attack , while a ransom note used by Mora_001 include the same messaging address used by LockBit .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
“ This connexion could point that Mora_001 is either a current affiliate with unequaled operational methods or an associate grouping share communicating channel , ” Molige tell .
Stefan Hostetler , head of threat intelligence at cybersecurity firm Arctic Wolf , whichpreviously observe exploitation of CVE-2024 - 55591 , tells TechCrunch that Forescout ’s finding suggest cyberpunk are “ going after the remaining organizations who were unable to enforce the patch or harden their firewall constellation when the vulnerability was originally disclosed . ”
Hostetler says the ransom banker’s bill used in these attacks yield similarity to that of other radical , such as the now - defunct ALPHV / BlackCat ransomware gang .
Fortinet did not respond to TechCrunch ’s questions .
