Published on: 2025-03-13

Intelligence Report: New SuperBlack ransomware exploits Fortinet auth bypass flaws – BleepingComputer

1. BLUF (Bottom Line Up Front)

The SuperBlack ransomware, operated by an entity referred to as Mora, exploits vulnerabilities in Fortinet’s firewall appliances to gain unauthorized access and deploy ransomware. The attack chain is highly structured and consistent across victims, leveraging an authentication bypass flaw. The ransomware is linked to LockBit operations, suggesting potential collaboration or shared tactics. Immediate attention to Fortinet vulnerabilities and enhanced cybersecurity measures are recommended to mitigate risks.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

The SuperBlack ransomware exploits a specific Fortinet vulnerability (CVE) disclosed in January and February. The attack involves gaining super admin privileges through a WebSocket-based attack on the JSConsole interface. Once access is obtained, the attacker creates new administrator accounts and modifies automation tasks to facilitate lateral movement and data exfiltration. The ransomware employs a custom tool, WipeBlack, to remove traces and hinder forensic analysis. Evidence suggests a strong link between SuperBlack and LockBit, including similarities in encryption methods and ransom note features.

3. Implications and Strategic Risks

The exploitation of Fortinet vulnerabilities poses significant risks to national security and economic interests. The structured nature of the attack indicates a high level of sophistication and potential for widespread impact. The link to LockBit suggests a broader network of cybercriminal activity, increasing the threat landscape for organizations relying on Fortinet products. The potential for data theft and operational disruption is high, necessitating immediate action to secure vulnerable systems.

4. Recommendations and Outlook

Recommendations:

• Organizations using Fortinet products should immediately apply available patches and updates to mitigate vulnerabilities.
• Implement enhanced monitoring and incident response protocols to detect and respond to unauthorized access attempts.
• Consider regulatory measures to enforce stricter cybersecurity standards for critical infrastructure.

Outlook:

In the best-case scenario, rapid patching and improved cybersecurity measures will limit the impact of the SuperBlack ransomware. In the worst-case scenario, continued exploitation could lead to significant data breaches and operational disruptions. The most likely outcome involves ongoing attempts to exploit unpatched systems, necessitating sustained vigilance and adaptation of cybersecurity strategies.

5. Key Individuals and Entities

The report mentions Mora as the operator of the SuperBlack ransomware. The analysis also references Fortinet as the affected entity and LockBit as a related ransomware operation. These entities are central to understanding the scope and implications of the current threat landscape.