Mora_001’s attack chain involves using these vulnerabilities for privilege escalation to super-admin on compromised Fortinet devices. Once inside, they create new administrator accounts and modify automation tasks to achieve persistence. These accounts are normally named similarly to existing accounts but with an extra digit, making them difficult to identify during routine checks. The attackers also make use of VPN functionality to remotely log in to other firewalls on the network, with protocols such as TACACS+ or RADIUS being used for authentication.
After gaining access, the attackers conduct network mapping to search for targets for lateral movement. They use tools like SSH to log in to high-value targets like file servers, domain controllers, and other network infrastructure. The attackers then exfiltrate sensitive data before deploying the SuperBlack ransomware, which encrypts critical files and demands a ransom. A custom wiper, WipeBlack, is used to wipe any traces of the ransomware, making forensic analysis challenging.
The Mora_001’s operational behaviors show strong alignment with highly established ransomware groups, like LockBit. SuperBlack ransomware is based on LockBit’s 3.0 leaked builder, using the identical payload structures and encryption methods but without preserving any of the original branding. Further, the ransom demands include a Tox ID corresponding to LockBit operations, so Mora_001 may be a former affiliate or associate of LockBit. WipeBlack usage also overlaps with other ransomware gangs associated with LockBit, such as BrainCipher and EstateRansomware.
The exploitation of these Fortinet vulnerabilities shows the imperative of patching critical systems. Despite warnings from Fortinet and available patches, a vast majority of organizations remain vulnerable. As per current reports, there are thousands of unpatched Fortinet firewalls worldwide, with significant numbers in India and the United States. The rapid exploitation of these vulnerabilities after the release of a proof-of-concept exploit shows the need for immediate action to protect against these attacks.
The SuperBlack ransomware incursions follow a playbook, allowing Mora_001 to infiltrate networks and deploy ransomware in a high-quality, efficient way. The consistency of operational tactics at this level is unprecedented for ransomware actors, although it has been associated with LockBit. The ability of the group to innovate and use existing tools and infrastructure is a considerable threat in the evolving landscape of ransomware incursions.
