Tag: Fortinet

Posted on by

Perimeter security appliances source of most ransomware hits

Compromised or vulnerable perimeter security appliances and devices – especially virtual private networks (VPNs) – formed the initial access vector in over half of observed ransomware attacks during 2024, according to data released this week by cyber security insurance provider Coalition in its latest annual threat report, covering 2024.

US-based Coalition, which began offering its so-called Active Insurance policies in the UK back in 2022, said that cyber criminals compromised such appliances in 58% of claims with which it dealt during 2024, with the second most widespread access point being remote desktop products, blamed in 18% of claims.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much – they’re still going after the same tried and true technologies with many of the same methods,” said Alok Ojha, head of security products at Coalition.

“This means that businesses can have a reliable playbook too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident.”

Unsurprisingly, the most commonly compromised products were all built by ‘household’ names in the industry, including the likes of Cisco, Fortinet, Microsoft, Palo Alto Networks and SonicWall. The most common initial access vectors (IAVs) were stolen credentials, used in 47% of such intrusions, and software exploits, seen in 29% of cases.

Coalition’s analysts warned that exposed logins were fast-emerging as an underappreciated and acute driver of ransomware risks. They claimed that the organisation detected more than five million remote management solutions and tens of thousands of login panels exposed on the public internet. It added that, according to its data, most applicants for cyber insurance (65%) had at least one internet-exposed web login panel, and securing these is a requirement for buying its products.

Out of these, the most commonly exposed admin login panels related to VPNs from Cisco and SonicWall, which between them accounted for over 19% of detected exposed panels, followed by Microsoft email services.

In 2024, Coalition also observed a significant number of exposed Citrix panels, which caused significant losses, including more than a billion dollars from the infamous Change Healthcare incident in the US, in which a ransomware gang used stolen Citrix credentials and exploited a lack of multifactor authentication to access the victim’s systems.

CVEs set to jump in 2025

As part of the set of services Coalition provides, it sends out zero-day alerts to its customers as and when new vulnerabilities are discovered, and constantly monitors for new vulnerabilities.

As such, its annual report also includes data on some of the more widespread common vulnerabilities and exposures (CVEs) it saw in 2024 – issues with Citrix, Fortinet, Ivanti and Palo Alto Networks prominent among them.

Looking ahead to 2025, Coalition’s analysts said the number of published vulnerabilities would likely increase to more than 45,000, a rate of nearly 4,000 every month, up 15% over the first 10 months of 2024.

This aligns closely with data released in February by the Forum of Incident Response and Security Teams (First), a non-profit, which suggested that CVE volumes may even top 50,000 this year.

A combination of new players in the CVE ecosystem, evolving disclosure compliance practices and a rapidly expanding attack surface are likely behind the growing number of vulnerabilities being reported on.

“This year’s report focuses on the most crucial security risks that under-resourced organisations should understand to better calibrate their defensive investments to bolster resilience,” said Daniel Woods, senior security researcher at Coalition.

“Calibration involves balancing security investment across vulnerabilities, misconfigurations and threat intelligence, while also responding to emerging threats, such as zero-day vulnerabilities exploited in the wild. That’s why Coalition issues Zero-Day Alerts to help businesses, especially SMEs with limited security resources, stay ahead of these vulnerabilities and reduce alert fatigue by prioritising those posing the greatest risk.”

Source

Posted on by

SuperBlack ransomware may have ties to LockBit

An emergent ransomware gang that has been exploiting two vulnerabilities in Fortinet firewall appliances may have links to current or former members of the notorious LockBit operation, according to intelligence published this week by Forescout Research’s Vedere Labs unit.

Forescout is attributing SuperBlack to a threat actor tracked as Mora_001, which exhibits a distinct operational signature blending opportunistic attacks with ties to the LockBit ecosystem, according to researcher Sai Molige.

“Mora_001’s relationship to the broader Lockbit’s ransomware operations underscore the increased complexity of the modern ransomware landscape – where specialised teams collaborate to leverage complementary capabilities,” wrote Molige and the research team.

Mora_001/SuperBlack’s modus operandi to date has been to focus attention on CVE-2025-24472 and CVE-2024-55591 – a pair of authentication bypass flaws discovered in Fortinet’s FortiOS and FortiProxy – for initial access.

These vulnerabilities enable an unauthenticated actor to gain heightened admin rights on devices running FortiOS with exposed management interfaces. A proof-of-concept exploit released on 27 January 2025 was exploited within 96 hours, said Forescout.

Once in their target network, the gang moved laterally and prioritised targets such as authentication, database and file servers, domain controllers, and other elements of their victims’ network infrastructure. They then exfiltrated data and initiated encryption after doing so in a fairly standard ransomware attack.

Pattern recognition

In linking Mora_001/SuperBlack to LockBit – famously disrupted in a UK-led multinational operation just over 12 months ago – Forescout’s analysts said they observed a number of post-exploitation behaviours consistent with LockBit’s playbook.

These included identical usernames on victim networks, overlapping IP addresses used for access and command and control (C2), similar configuration backup behaviours, and rapid ransomware deployment, often after just 48 hours under “favourable” conditions.

Mora_001/SuperBlack also leveraged the leaked LockBit builder, removing LockBit branding from its ransom notes and deploying its own exfiltration tool.

The most concrete evidence was to be found in the gang’s ransom note, which includes a TOX ID used by LockBit for negotiations. Forescout said this suggested Mora_001 is either an operational affiliate of LockBit, or an associate group that shares communications channels with the gang.

“The post-exploitation patterns observed enabled us to define a unique operational signature that sets Mora_001 apart from other ransomware operators, including LockBit affiliates,” wrote the team. “This consistent operational framework suggests a distinct threat actor with a structured playbook, rather than multiple operators following a generalised LockBit methodology.”

In analysing the timeline of Mora_001/SuperBlack intrusions, as well as overlapping indicators and operational patterns, Forescout said it could now “confidently” attribute future intrusions to the gang, independently of what its exact relationship to LockBit may be.

Following the National Crime Agency (NCA)-led Operation Cronos, which disrupted LockBit in February 2024, the ransomware landscape saw a significant fragmentation, and an increase in the number of operational gangs, suggesting that a number of members of the LockBit collective scattered under pressure and set up or joined new operations.

Although these suggestions are merely theories, the discovery of Mora_001/SuperBlack lends a certain weight to them, and as the year progresses, the legacy of LockBit looks set to remain for some time to come.

More information on Mora_001/SuperBlack, including tactics, techniques and procedures (TTPs), detection opportunities, and indicators of compromise (IoCs), can be obtained from Forescout.

Source