SPOTREP: SuperBlack Ransomware Campaign

Executive Summary: SuperBlack Ransomware Campaign The SuperBlack ransomware campaign, active since late January 2025, presents a serious threat to organizations utilizing Fortinet firewall appliances. Orchestrated by the threat actor Mora_001, this campaign exploits two critical authentication bypass vulnerabilities-CVE-2025-24472 and an…

March 13, 2025|Eric Taylor
AdobeStock_1293454819

Executive Summary: SuperBlack Ransomware Campaign

The SuperBlack ransomware campaign, active since late January 2025, presents a serious threat to organizations utilizing Fortinet firewall appliances. Orchestrated by the threat actor Mora_001, this campaign exploits two critical authentication bypass vulnerabilitiesCVE-2025-24472 and an unspecified flaw—to gain super-admin privileges. Attackers employ WebSocket-based attacks or crafted HTTPS requests to infiltrate systems, creating rogue admin accounts, moving laterally, exfiltrating sensitive data, and deploying the SuperBlack ransomware to encrypt files. Additionally, a wiper tool called WipeBlack is used to erase evidence, hindering investigation and recovery efforts. A potential connection to the notorious LockBit ransomware group further elevates the threat.
The campaign has impacted multiple organizations globally, resulting in:
  • Operational disruption from encrypted systems,
  • Data breaches due to stolen information, and
  • Financial losses from ransom payments and recovery costs.
Despite Fortinet releasing patches for the exploited vulnerabilities, many systems remain unpatched, fueling the ongoing attacks. To mitigate these risks, organizations should take immediate action:
  1. Apply Fortinet’s latest patches urgently to address the vulnerabilities.
  2. Enforce strict access controls to limit unauthorized access.
  3. Monitor for suspicious activities to detect potential breaches early.
  4. Strengthen incident response capabilities to ensure swift and effective recovery.
Prompt and proactive measures are essential to safeguard against this escalating threat.

Technical Summary:

Activity

  • Exploitation Tactics:
    • Attackers exploit two Fortinet authentication bypass vulnerabilities:
      • CVE-2025-24472: A critical flaw in FortiOS (versions 7.0.0 through 7.0.16) and FortiProxy (versions 7.2.0 through 7.2.12 and 7.0.0 through 7.0.19) allowing unauthenticated access to administrative interfaces.
      • Second Unspecified Flaw: Believed to be a zero-day vulnerability still under investigation by Fortinet and cybersecurity researchers.
    • Attackers gain "super_admin" privileges through WebSocket-based attacks (using tools like jsconsole) or by sending crafted HTTPS requests to exposed management interfaces.
  • Post-Exploitation Actions:
    • Creation of new administrative accounts with names such as "forticloud-tech," "fortigate-firewall," and "adnimistrator" to ensure persistent access.
    • Lateral movement within compromised networks using stolen credentials, Windows Management Instrumentation Command-line (WMIC), Secure Shell (SSH), and authentication protocols like TACACS+ or RADIUS.
  • Payload Deployment:
    • SuperBlack Ransomware: A custom ransomware strain that encrypts files with a strong algorithm (likely AES-256) and appends a unique extension (e.g., .superblack). It also exfiltrates sensitive data to command-and-control (C2) servers before encryption.
    • WipeBlack Wiper: A destructive tool deployed post-encryption to overwrite critical system files and logs, erasing evidence of the attack and complicating forensic efforts.
Location
  • Geographic Scope: The campaign is global, targeting organizations with Fortinet FortiGate firewalls irrespective of region. No specific countries or cities have been publicly identified as primary targets, but the widespread adoption of Fortinet devices (used by over 500,000 organizations worldwide) suggests a broad potential impact.
  • Infrastructure Notes: C2 servers and exfiltration endpoints have been traced to IP addresses in multiple jurisdictions, including Eastern Europe and Southeast Asia, though attribution remains inconclusive due to the use of VPNs and proxy services.
Unit
  • Threat Actor: Identified as "Mora_001," a relatively new but sophisticated cybercriminal group.
  • Affiliation: Analysts suspect a connection to the LockBit ransomware syndicate due to:
    • Shared use of tools like WipeBlack, previously observed in LockBit 3.0 campaigns.
    • Overlapping infrastructure, such as IP addresses and domains registered under similar patterns.
    • Operational tactics mirroring LockBit’s double-extortion model (encryption + data theft).
  • Motivation: Primarily financially driven, with ransom demands reportedly ranging from $500,000 to $2 million in cryptocurrency, depending on the victim’s size and data sensitivity.
Time
  • Timeline:
    • Initial attacks detected in late January 2025, with the first confirmed compromise reported on January 28, 2025.
    • Exploitation of CVE-2025-24472 specifically noted as early as February 2, 2025.
    • Campaign remains active as of March 13, 2025, with no signs of slowing down.
  • Attack Frequency: Incidents appear to occur in waves, with spikes in activity following the public disclosure of CVE-2025-24472 on February 10, 2025.
Equipment
  • Vulnerabilities Exploited:
    • CVE-2025-24472: Affects FortiOS and FortiProxy, enabling attackers to bypass authentication and execute arbitrary commands.
    • Unspecified Second Flaw: Likely affects the same systems, possibly tied to improper session handling in the management interface.
  • Affected Systems: Fortinet FortiGate firewalls running vulnerable versions of FortiOS (7.0.0 - 7.0.16) and FortiProxy (7.2.0 - 7.2.12, 7.0.0 - 7.0.19).
  • Malware:
    • SuperBlack Ransomware: Believed to be built using a ransomware builder similar to LockBit 3.0, featuring modular design for rapid deployment and customization.
    • WipeBlack Wiper: A lightweight, destructive binary designed to maximize damage and evade detection.
  • Tools and Techniques:
    • WebSocket exploitation via jsconsole for initial access.
    • Crafted HTTPS requests targeting /remote/login endpoints.
    • Use of legitimate system tools (e.g., WMIC) for lateral movement.
Additional Details
  • Impact:
    • Operational Disruption: Victims face significant downtime due to encrypted systems and wiped logs, with recovery often requiring extensive rebuilding efforts.
    • Data Breach: Exfiltrated data includes intellectual property, customer records, and internal communications, increasing the risk of secondary extortion.
    • Financial Loss: Beyond ransom payments, organizations incur costs from incident response, legal fees, and reputational damage.
  • Indicators of Compromise (IOCs):
    • Suspicious account names: "forticloud-tech," "fortigate-firewall," "adnimistrator."
    • Anomalous traffic to FortiGate management ports (e.g., 443, 8443).
    • File extensions: .superblack on encrypted files.
  • Mitigation Recommendations:
    • Patch Management: Update Fortinet systems to the latest patched versions (FortiOS 7.0.17 or higher, FortiProxy 7.2.13 or 7.0.20 or higher) immediately.
    • Network Security:
      • Restrict access to management interfaces via VPN or IP whitelisting.
      • Enable multi-factor authentication (MFA) for all administrative accounts.
    • Monitoring:
      • Audit logs for unusual admin account creation or privilege escalation.
      • Deploy endpoint detection and response (EDR) tools to detect lateral movement.
    • Incident Response:
      • Maintain offline backups to ensure rapid recovery without paying ransoms.
      • Develop and test a comprehensive incident response plan tailored to ransomware scenarios.

RELATED

Situational Awareness Report: CVE-2025-24813 Apache Tomcat RCE

By Eric Taylor | March 18, 2025

Overview CVE-2025-24813 is a critical Remote Code Execution (RCE) vulnerability affecting Apache Tomcat, a widely used open-source web server and…

Executive Summary – Continued Attacks on USA Law Firms

By Eric Taylor | January 16, 2025

Executive Summary A cybercriminal operating under the alias CeFarir0ne has put up for sale unauthorized Remote Desktop Protocol (RDP) access to an…

Executive Summary – Shadow Syndicate

By Eric Taylor | January 15, 2025
,

Executive Summary In late 2024, Darktrace identified multiple instances of RansomHub ransomware attacks linked to the ShadowSyndicate threat group. ShadowSyndicate,…