惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
Microsoft Azure Blog
Microsoft Azure Blog
The Register - Security
The Register - Security
Stack Overflow Blog
Stack Overflow Blog
博客园 - 三生石上(FineUI控件)
T
Threat Research - Cisco Blogs
S
SegmentFault 最新的问题
V2EX - 技术
V2EX - 技术
Hacker News: Ask HN
Hacker News: Ask HN
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Proofpoint News Feed
J
Java Code Geeks
Microsoft Security Blog
Microsoft Security Blog
M
MIT News - Artificial intelligence
AI
AI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Proofpoint News Feed
Hacker News - Newest:
Hacker News - Newest: "LLM"
B
Blog
N
News and Events Feed by Topic
N
News | PayPal Newsroom
Google DeepMind News
Google DeepMind News
酷 壳 – CoolShell
酷 壳 – CoolShell
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
WordPress大学
WordPress大学
C
Cybersecurity and Infrastructure Security Agency CISA
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
U
Unit 42
腾讯CDC
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
H
Help Net Security
Recent Announcements
Recent Announcements
P
Privacy & Cybersecurity Law Blog
IT之家
IT之家
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Security Archives - TechRepublic
Security Archives - TechRepublic
L
LINUX DO - 热门话题
Martin Fowler
Martin Fowler
MongoDB | Blog
MongoDB | Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
H
Heimdal Security Blog
博客园 - 聂微东
S
Securelist
大猫的无限游戏
大猫的无限游戏
Cloudbric
Cloudbric
Cisco Talos Blog
Cisco Talos Blog

Ransomware – ThreatDown by Malwarebytes

Prinz Eugen ransomware: a deep dive into a new Go-based encryptor - ThreatDown by Malwarebytes The anatomy of an Akira ransomware attack AI-orchestrated cyberattacks Tracking remote ransomware attacks at their source Ransomware in April 2025—RansomHub is gone Ransomware in March 2025 Living Off the Land (LOTL) Attacks: Detect Ransomware Gangs - ThreatDown by Malwarebytes One in five Fortune 500 companies had leaked credentials in the past 30 days - ThreatDown by Malwarebytes Ransomware in February 2025—Cl0p and RansomHub run riot - ThreatDown by Malwarebytes Infighting brings down the Black Basta ransomware group
Ransomware group Mora_001 targets Fortinet applications - ThreatDown by Malwarebytes
Pieter Arntz · 2025-03-21 · via Ransomware – ThreatDown by Malwarebytes
Padlock

The new gang appears to have links to the defunct LockBit group.

Mora_001 is a new ransomware group that has started exploiting known vulnerabilities in Fortinet security applications.

One of the exploited vulnerabilities set a record when the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal civilian agencies to patch it within a week of it appearing in CISA’s Known Exploited Vulnerabilities catalog. Likely because at the time of disclosure, researchers were already aware of an ongoing large exploitation campaign against the vendor’s firewalls.

Mora_001 uses SuperBlack encryption, which is a ransomware variant built from the leaked LockBit 3.0 builder with a custom encryption tool. A few months after the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, the builder for it was leaked by what was assumed to be a disgruntled developer.

Since the ransom notes of this new operator also use the same ID for the qTox chat app, this suggests strong ties between the dissolved LockBit group and the new Mora_001 group. qTox is a chat, voice, video, and file transfer instant messaging client using the encrypted peer-to-peer Tox protocol.

Tox IDs are strings of 76 hexadecimal characters, generated when a user creates a Tox profile. These IDs are used for adding contacts. Using the same Tox ID indicates that either some of the ransomware group, or an affiliate of the group, was part of the LockBit operation before it went down.

For the time being, the new group follows a rather strict attack scenario.

The attack starts against exposed Fortigate firewalls vulnerable to CVE-2024-55591 and CVE-2025-24472. Both these authentication bypasses can be used to gain super-admin privileges on the vulnerable devices.

By occasionally using the username “watchTowr” it became clear which Proof-of-Concept (PoC) the intruders deployed. It only took them about four days to turn it into a working attack tool.

With super-admin powers in hand, the attacker creates new administrator accounts. Known names to be used are forticloud-tech, fortigate-firewall, and administrator. As a backup they create or modify automation tasks to recreate those administrator accounts in case they get removed.

After creating local administrator accounts, the threat actors download the firewall configuration file, which contains critical information such as policies, routes, keys and VPN configurations.

Using stolen and newly created VPN accounts, the attackers map out the affected network and initiate the first lateral movement attempts using WMI and SSH. The newly created VPN user accounts will have names resembling legitimate accounts but with an added digit at the end.

At that point, the data theft is set in motion, so the group can use the tried and tested double extortion method by stealing data and encrypting machines. In documented cases the attacker selectively encrypted file servers containing sensitive data.

For now, Mora_001 is very focussed on one method of attack, but its future will depend on whether it can find other attack methods when this one dries up.

Mitigation

Patches for the two Fortinet vulnerabilities in use have been available since February 11, 2025. ThreatDown Patch Management can help you fix known software vulnerabilities before criminals exploit them.