Full Report
A new ransomware operator named 'Mora_001' is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. [...]
Analysis Summary
# Incident Report: SuperBlack Ransomware Exploitation of Fortinet Flaws
## Executive Summary
A novel ransomware strain, **SuperBlack**, was used in attacks originating from the threat actor group **Mora\_001**. The initial compromise leveraged authentication bypass vulnerabilities in Fortinet devices to gain unauthorized access. The attack progressed rapidly through credential theft and lateral movement, culminating in data encryption and the deployment of a custom wiper, 'WipeBlack,' to hinder forensics. The ransomware exhibits strong technical lineage to the LockBit 3.0 builder.
## Incident Details
- Discovery Date: Not explicitly stated (Inferred from the reporting of the new ransomware)
- Incident Date: Not explicitly stated (Ongoing campaign inference)
- Affected Organization: Multiple/Undisclosed victims targeted by Mora\_001
- Sector: Undisclosed (Likely targets leveraging perimeter authentication services)
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- Date/Time: Not specified
- Vector: Exploitation of Fortinet authentication bypass vulnerabilities (No specific CVE mentioned).
- Details: Attackers exploited flaws in Fortinet devices to gain initial access, likely gaining credential access or remote code execution capabilities.
### Lateral Movement
- Date/Time: Following Initial Access
- Vector: Stolen VPN credentials, new VPN accounts creation, execution of Windows Management Instrumentation (WMIC) & SSH for movement, and exploitation of TACACS+/RADIUS authentication.
- Details: Mora\_001 mapped the network, established persistence by creating new accounts and modifying automation tasks, and moved across the infrastructure using legitimate network protocols.
### Data Exfiltration/Impact
- Date/Time: Prior to Encryption/Wiping
- Vector: Data theft via a custom tool.
- Details: High-value data, particularly from file, database servers, and domain controllers, was stolen (double extortion). Files were subsequently encrypted using the SuperBlack encryptor.
### Detection & Response
- Date/Time: Not specified
- Vector: Analysis by Forescout.
- Details: The infection culminated in dropping the SuperBlack ransom note and deploying 'WipeBlack' to destroy forensic evidence. Response actions are inferred based on the malware's final stages (e.g., system restoration required).
## Attack Methodology
- Initial Access: **Exploitation of Fortinet authentication bypass vulnerabilities.**
- Persistence: **Creating new user accounts ($forticloud-tech, fortigate-firewall, adnimistrator)** and modifying automation tasks to maintain access if necessary.
- Privilege Escalation: Implied through the successful exploitation chain, likely involving default configurations or abuse of administrative rights gained initially.
- Defense Evasion: **Deployment of the custom wiper utility 'WipeBlack'** after encryption to remove ransomware executables and hinder forensic analysis.
- Credential Access: Stealing **VPN credentials**.
- Discovery: **Network mapping** utilizing established access.
- Lateral Movement: **Stolen VPN credentials, creation of new VPN accounts, WMIC, and SSH**.
- Collection: Using a **custom tool** to steal data.
- Exfiltration: **Data theft** before encryption (double extortion).
- Impact: **File encryption** (SuperBlack) and **system wiping** ('WipeBlack').
## Impact Assessment
- Financial: Not disclosed (Ransom payments demanded, costs for remediation likely high).
- Data Breach: High-value data stolen from **file servers, database servers, and domain controllers**.
- Operational: Significant operational disruption due to system encryption and potential loss of recovery data due to the wiper.
- Reputational: Potential damage associated with the public disclosure of a sophisticated ransomware attack utilizing zero-day/N-day vulnerabilities.
## Indicators of Compromise
- Network Indicators: Extended IP address overlaps with previous LockBit operations (Specific IPs defanged if available in a full report).
- File Indicators: SuperBlack encryptor based on LockBit 3.0 builder; execution of 'WipeBlack' wiper.
- Behavioral Indicators: Use of WMIC and SSH for lateral movement; modification of administrator-related automation tasks.
## Response Actions
*(Inferred based on the attack progression, as specific organizational response actions were not detailed in the context)*
- Containment: Identification and immediate patching of exploited Fortinet devices. Blocking known malicious IPs associated with Mora\_001. Isolating affected file/database servers and domain controllers.
- Eradication: Full forensic image acquisition before wiping (if possible). Wiping malware artifacts off affected systems. Changing all administrative credentials, especially those related to VPN and network access.
- Recovery: Restoring encrypted data from verified, isolated backups. Rebuilding potentially wiped systems, prioritizing Domain Controllers.
## Lessons Learned
- The constant threat posed by sophisticated ransomware groups leveraging zero-day or recently patched vulnerabilities (like those in Fortinet) is significant.
- The use of custom wipers ('WipeBlack') demonstrates an advanced adversary intent on maximizing impact and frustrating attribution/recovery efforts.
- The strong technical links to LockBit suggest that reliance on affiliate models continues to fuel new ransomware variants.
## Recommendations
- Immediately patch all Fortinet devices and conduct thorough post-patch auditing for persistence mechanisms.
- Implement strong Multi-Factor Authentication (MFA) across all remote access services, including VPNs, to mitigate credential bypasses.
- Review and restrict administrative activity involving WMIC and PowerShell for lateral movement across the environment.
- Ensure comprehensive, immutable backups exist for critical systems (database, file servers, DCs) and test restoration procedures regularly, particularly against wiper threats.