New Ransomware Operator Exploits Fortinet Vulnerability Duo

    Tuesday, March 18, 2025 In: Threat Research Print

    Date: 03/18/2025

    Severity: High

    Summary

    A new ransomware operator, Mora_001, has been exploiting two Fortinet vulnerabilities, particularly targeting Fortigate firewall appliances, to deploy a ransomware strain named SuperBlack. Mora_001 is linked to the LockBit ransomware ecosystem and uses a combination of opportunistic attack methods. This operator’s tactics, techniques, and procedures (TTPs) highlight the increasing complexity of modern ransomware, where different teams collaborate to enhance their attack capabilities. The report outlines detection and mitigation strategies and emphasizes the evolving nature of these threats.

    Indicators of Compromise (IOC) List

    IP Address 

    89.248.192.55

    94.154.35.208

    80.66.88.90

    185.147.124.31

    96.31.67.39

    94.156.177.187

    170.130.55.164

    185.147.124.10

    109.248.160.118

    213.176.64.114

    57.69.19.70

    185.147.124.34

    192.248.155.218

    185.147.124.55

    176.53.147.5

    80.64.30.237

    193.143.1.65

    185.224.0.201

    5.181.171.133

    94.156.227.208

    95.217.78.122

    77.239.112.0

    192.248.155.218

    185.95.159.43

    95.179.234.4

    217.144.189.35

    45.15.17.67

    185.147.124.34

    Hash

    c994b132b2a264b8cf1d47b2f432fe6bda631b994ec7dcddf5650113f4a5a404

    f383bca7e763b9a76e64489f1e2e54c44e1fd24094e9f3a28d4b45b5ec88b513

    813ad8caa4dcbd814c1ee9ea28040d74338e79e76beae92bedc8a47b402dedc2

    782c3c463809cd818dadad736f076c36cdea01d8c4efed094d78661ba0a57045

    d9938ac4346d03a07f8ce8b57436e75ba5e936372b9bfd0386f18f6d56902c88

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    Usernames

    adnimistrator

    fortigate-firewall

    admin_support

    newadmin

    forticloud-tech

    newadminuser

    newadminz

    renewadmin

    admin-vpn-access

    admin-vpn-access-work

    adminp0g

    it_manager

    Commandline

    [config system admin\nedit forticloud-sync\nset password #^(agT2^R96R-S_l4Y^HS#^\nset

    accprofilesuper_admin\nend\nexit]accprofile[super_admin]

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("89.248.192.55","185.147.124.31","95.179.234.4","170.130.55.164","185.224.0.201","185.147.124.10","77.239.112.0","185.147.124.34","185.95.159.43","96.31.67.39","80.64.30.237","57.69.19.70","192.248.155.218","213.176.64.114","193.143.1.65","5.181.171.133","94.156.177.187","94.154.35.208","80.66.88.90","109.248.160.118","185.147.124.55","176.53.147.5","94.156.227.208","95.217.78.122","217.144.189.35","45.15.17.67") or ipaddress IN ("89.248.192.55","185.147.124.31","95.179.234.4","170.130.55.164","185.224.0.201","185.147.124.10","77.239.112.0","185.147.124.34","185.95.159.43","96.31.67.39","80.64.30.237","57.69.19.70","192.248.155.218","213.176.64.114","193.143.1.65","5.181.171.133","94.156.177.187","94.154.35.208","80.66.88.90","109.248.160.118","185.147.124.55","176.53.147.5","94.156.227.208","95.217.78.122","217.144.189.35","45.15.17.67") or publicipaddress IN ("89.248.192.55","185.147.124.31","95.179.234.4","170.130.55.164","185.224.0.201","185.147.124.10","77.239.112.0","185.147.124.34","185.95.159.43","96.31.67.39","80.64.30.237","57.69.19.70","192.248.155.218","213.176.64.114","193.143.1.65","5.181.171.133","94.156.177.187","94.154.35.208","80.66.88.90","109.248.160.118","185.147.124.55","176.53.147.5","94.156.227.208","95.217.78.122","217.144.189.35","45.15.17.67") or srcipaddress IN ("89.248.192.55","185.147.124.31","95.179.234.4","170.130.55.164","185.224.0.201","185.147.124.10","77.239.112.0","185.147.124.34","185.95.159.43","96.31.67.39","80.64.30.237","57.69.19.70","192.248.155.218","213.176.64.114","193.143.1.65","5.181.171.133","94.156.177.187","94.154.35.208","80.66.88.90","109.248.160.118","185.147.124.55","176.53.147.5","94.156.227.208","95.217.78.122","217.144.189.35","45.15.17.67")

    Detection Query 2

    sha256hash IN ("917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2","f383bca7e763b9a76e64489f1e2e54c44e1fd24094e9f3a28d4b45b5ec88b513","c994b132b2a264b8cf1d47b2f432fe6bda631b994ec7dcddf5650113f4a5a404","d9938ac4346d03a07f8ce8b57436e75ba5e936372b9bfd0386f18f6d56902c88","813ad8caa4dcbd814c1ee9ea28040d74338e79e76beae92bedc8a47b402dedc2","782c3c463809cd818dadad736f076c36cdea01d8c4efed094d78661ba0a57045")

    Detection Query 3

    commandline like "[config system admin\nedit forticloud-sync\nset password #^(agT2^R96R-S_l4Y^HS#^\nset accprofilesuper_admin\nend\nexit]accprofile[super_admin]"

    Reference:  

    https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/


    Tags

    RansomwareSuperBlackLockbit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.