In the ever-changing landscape of cybersecurity, threats are continuously evolving, adapting, and discovering new pathways to exploit weaknesses.
Enter into Mora_001, a recently discovered threat actor that has rapidly gained a reputation for a methodical and sophisticated network compromise methodology.
Their weapon of choice? A tailor-made ransomware variant labeled “SuperBlack.” The usual ransomware attack this is not, this is a complex, multi-pronged attack that highlights the increasing sophistication of cybercriminals.
The exploitation: a perfect storm of vulnerabilities
The campaign for Mora_001 starts with the exploitation of two important Fortinet CVEs: CVE-2024-55591 and CVE-2025-24472. These vulnerabilities, which have an impact on FortiOS versions below 7.0.16, could be exploited by unauthenticated adversaries to obtain super_admin privileges on affected devices whose management interfaces are exposed.
Even more concerning is how quickly Mora_001 weaponized these vulnerabilities. 96 hours after Fonzerelli’s easily-reproducible written proof-of-concept exploit entered public hands on January 27, 2025, researchers confirmed that at least two varieties of exploit were witnessed in the wild:
The jsconsole interface exploit: By taking advantage of the WebSocket vulnerability, this method employed an IP Spoofing attack, e.g., 127.0.0.1 or 8.8.8.8 to hide the attacker’s true identity.
Direct HTTPS Requests: A more basic method that addresses the same inherent vulnerability with less disguise.
This swift abuse showcases a sinister trend in which threat actors aren’t waiting weeks, or even days, to weaponise vulnerabilities. They’re doing it in hours.
Resilience: Fusing Inertia with Digestion
But once Mora_001 infiltrated a network, they didn’t just gain access — they made certain they could permanently maintain it. Their tactics of persistence were more imaginative.
Stealthy Admin Accounts: The attackers made local system administrator accounts with names intended to fit in with services running on the affected systems, like “forticloud-tech,” “fortigate-firewall,” and even a context-aware “adnimistrator,” misspelling “administrator.”
Automated Functions: Mora_001 configured daily scripted tasks designed to re-create the administrator accounts if deleted. For instance, a script would recreate a “forticloud-sync” user with super_admin permissions and a hardcoded password.
High Availability (HA) Exploitation: Attackers in HA configurations manipulated the synchronization process to spread and extend their malicious configuration on other firewalls that were part of an HA cluster.
This allowed the hacker to always regain access multiple ways, even when an organization discovered a backdoor and removed it.
Reconnaissance and Lateral Mobility
Once persistence was established, Mora_001 performed extensive reconnaissance with the help of FortiGate dashboards to collect environmental intel. They came to identify potential paths for lateral movement via the Status, Security, Network, and Users & Devices dashboards
In such environments, the threat actor created additional VPN user accounts with names similar to legitimate VPN accounts, except for minor variations — the addition of a digit at the end (e.g., “xxx1”). They were then placed in VPN user groups, allowing access to the network in the future, bypassing casual admin review.
Mora_001 used several techniques to move laterally:
Stolen VPN Credential: Compromised VPN credentials used to access internal networks
Propagation Through HA Configuration: Leverage HA to compromise other firewalls.
Auth Infrastructure Abuse: Attacking TACACS+ or RADIUS services integrated with Active Directory.
WMIC and SSH: Windows Management Instrumentation (WMIC), for remote discovery and execution on target systems, and SSH to attempt access to additional servers and network appliances.
SuperBlack Ransomware: A Wild Card Enemy
The ransomware being used by Mora_001, referred to as SuperBlack, is very similar to LockBit 3.0 (also known as LockBit Black) but it has some important differences.
Ransom Note Structure: The ransom note contains a Tox chat ID previously associated with LockBit 3.0 activity, dropping more prominent branding facets and complicating attribution.
Custom Data Exfiltration: SuperBlack is bundled with its own executable for data exfiltration, indicating the attackers are trying to steal as much sensitive data as they can before encrypting it.
Despite these differences, these lightweight mechanisms keep the ransomware well integrated into the LockBit ecosystem, hinting that Mora_001 is an active or ex-LockBit affiliate or an independent actor recycling LockBit’s infrastructure.
Infrastructure and Tools
The activities of Mora_001 have been correlated with relevant infrastructure such as IP address 185.147.124.34, this was seen performing brute force attempts on numerous edge services. This IP hosts a tool called “VPN Brute v1. 0. 2,” a Russian-language tool specifically designed to brute force credentials for several VPN services and edge devices.
The VPN Brute tool aims at platforms such as:
- RDWeb (Remote Desktop Web Access)
- PulseSecure
- Outlook Web Access (OWA)
- GlobalProtect by Palo Alto Networks
- Fortinet, Cisco, F5 Networks BIG-IP, and Citrix
The latest variants of this tool also have added features like the ability to continue brute forcing after a valid credential has been found and honeypot detection.
Mitigations: Keeping One Step Ahead
To safeguard against Mora_001 and analogous threats, organizations must focus on the following:
Patch Vulnerable Systems: Apply FortiOS updates addressing CVE-2024-55591 and CVE-2025-24472. Restrict Management Access: Disable external management interfaces when not in use. Audit Administrator Accounts: Keep a regular check and delete unauthorized users.
Examine Automation Settings: Pay special attention to suspicious tasks, sometimes scheduled daily or during off-hours.
Review VPN Users and Groups: Examine slight variations of legitimate usernames and accounts created recently.
Enable comprehensive Logging: Make sure CLI audit logs, HTTP/S traffic logs, and authentication system auditing are executed.
Final Thoughts
A Cybersecurity Wake-Up Call The Mora_001 campaign is a reminder that modern cybercriminals are legitimate and do not want to be left behind.
The second wave of ransomware-infected encrypted VPN data, selective data theft, and single-file encryption may appear to threat actors from a compromised server in a secure location.
For organizations, the message is clear, Deploy in a timely manner, monitor for full encryption and defend the line. Continue your cybersecurity strategy when threat investors do something. The stakes are still higher, and the time to influence is now.
