Researchers are monitoring a newly identified ransomware group, Mora_001, believed to have ties to LockBit, which has exploited Fortinet's vulnerabilities since January. These included CVE-2024-55591 and CVE-2025-24472, both related to authentication bypass. Following the exploitation, the attackers established persistence by creating backdoor accounts similar to legitimate ones, facilitating further exploitation of adjacent systems. This sophisticated approach underscores their capability to not only breach defenses but also propagate their access strategically, using HA functionality in firewalls to replicate compromised configurations across networks.
"By triggering the HA sync process, they ensured that their backdoor accounts and automation scripts were replicated across the devices, showcasing a sophisticated method of expanding access and complicating response efforts."
Collection
[
|
...
]