Security researchers have observed hackers linking to the infamous Lockbit gang that exploits a pair of vulnerabilities in the Fortinet firewall to deploy ransomware across several corporate networks.
In a report released last week, security researchers at Forescout Research said a tracking group called “Mora_001” is leveraging the Fortinet firewall.
One of the vulnerabilities tracked as CVE-2024-55591 has been exploited in cyberattacks since December 2024 to violate Fortinet's customer's corporate network. Forescout says the second bug tracked as CVE-2025-24472 is also being exploited by Mora_001 in the attack. Fortinet released patches for both bugs in January.
Sai Molige, senior manager of threat hunting at Forescout, told TechCrunch that the cybersecurity company “has investigated three events in different companies and believes there are others.”
In one confirmed intrusion, Forescout said it observed that the attacker “selectively” encrypts file servers containing sensitive data.
“Encryption only started after data delamination, in line with the recent trends of ransomware operators who prioritize data theft over pure confusion,” Molige said.
Forescout says the threat actor in MORA_001 “shows a clear operational signature.” The company says it has “close ties” with the Lockbit Ransomware gang, which was disrupted by US authorities last year. Molige said that SuperBlack ransomware is based on leaked builders behind the malware used in Lockbit 3.0 attacks, while the ransom notes used by MORA_001 include the same messaging address used by Lockbit.
“This connection could indicate that MORA_001 is either a current affiliate with a unique way of operation, or an associate group that shares communication channels,” Molige said.
Stephen Hoster, head of threat intelligence for Arctic Wolf, a cybersecurity company that previously observed the exploitation of CVE-2024-55591, told TechCrunch that Forescout's findings suggest that hackers are “tracing the rest of the organizations that either couldn't patch or could not solidify their firewall configuration when the vulnerabilities were discovered.”
Hostetler said the ransom memo used in these attacks is similar to other groups' similarities, such as the now-deprecated Alphv/Blackcat ransomware gang.
Fortinet did not respond to TechCrunch questions.