Researchers specializing in security have identified a group of hackers affiliated with the notorious LockBit gang, who are exploiting two vulnerabilities in Fortinet firewalls to install ransomware on the networks of several companies.

According to a recent report by Forescout Research, a group known as “Mora_001” is taking advantage of these vulnerabilities in Fortinet firewalls, which serve as the digital entry points to a company’s network, to gain access and deploy a customized ransomware strain called “SuperBlack.”

One of the exploited vulnerabilities, identified as CVE-2024-55591, has been used in cyberattacks to compromise the networks of Fortinet customers since December 2024. Forescout notes that a second vulnerability, tracked as CVE-2025-24472, is also being exploited by Mora_001 in these attacks. Patches for both vulnerabilities were released by Fortinet in January.

Sai Molige, senior manager of threat hunting at Forescout, informed TechCrunch that the cybersecurity firm has investigated three separate incidents at different companies but suspects there may be additional cases.

In a confirmed incident, Forescout observed the attacker selectively encrypting file servers that contained sensitive data.

Molige noted, “The encryption was only initiated after the exfiltration of data, which aligns with the recent trends among ransomware operators who prioritize data theft over disruption.”

Forescout indicates that the Mora_001 threat actor exhibits a distinct operational pattern, which the firm believes has close ties to the LockBit ransomware gang, which was disrupted by U.S. authorities last year. Molige explained that the SuperBlack ransomware is based on the leaked builder used in LockBit 3.0 attacks, and the ransom note used by Mora_001 includes the same messaging address used by LockBit.

Molige added, “This connection could suggest that Mora_001 is either a current affiliate with unique methods or an associate group sharing communication channels.”

Stefan Hostetler, Arctic Wolf’s head of threat intelligence, which previously observed exploitation of CVE-2024-55591, told TechCrunch that Forescout’s findings imply hackers are targeting organizations that failed to apply the patch or harden their firewall configurations when the vulnerability was initially disclosed.

Hostetler noted that the ransom note used in these attacks bears similarities to those used by other groups, such as the now-defunct ALPHV/BlackCat ransomware gang.

Fortinet did not respond to TechCrunch’s inquiries.