A phishing campaign is impersonating travel agency Booking.com to target employees in the hospitality industry, according to researchers at Microsoft.

Both bugs were fixed in January 2025, but users should update immediately.

Though the chat logs were leaked a month ago, analysts are now seeing that Russian officials may have assisted Black Basta members, according to the shared messages.

FBI has warned file converter scams are on the rise.

A critical authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products (CVE-2024-55591 and CVE-2025-24472) is actively exploited by ransomware operators to hijack enterprise networks.

The flaw, classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), allows remote attackers to gain super-admin privileges via maliciously crafted CSF proxy requests or Node.js web socket module exploits.

Technical Overview

The vulnerabilities affect:

• FortiOS versions 7.0.0 through 7.0.16
• FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12.

Exploitation involves bypassing authentication mechanisms to create unauthorized administrative accounts, modify firewall policies, or establish SSL VPN tunnels for lateral movement.

Successful attacks grant attackers complete control over compromised devices, enabling data exfiltration, ransomware deployment, and network disruption.

Link to Ransomware Campaigns

A new ransomware variant, SuperBlack—a modified version of LockBit 3.0—has been deployed by the threat actor Mora_001 using these vulnerabilities.

The group, suspected to have ties to LockBit affiliates, follows a structured playbook:

1. Initial Access: Exploit CVE-2024-55591/CVE-2025-24472 to bypass authentication.
2. Privilege Escalation: Create persistent admin accounts and modify configurations.
3. Lateral Movement: Use VPN tunnels and reconnaissance tools like WMIC/SSH to target high-value assets (e.g., domain controllers, file servers).
4. Data Exfiltration & Encryption: Deploy ransomware after extracting sensitive data.

Forescout researchers observed Mora_001 leveraging leaked LockBit tools, including the same Tox messaging ID, suggesting collaboration with or imitation of established ransomware ecosystems.

Mitigation and Patching

Fortinet released patches in January and February 2025:

Product	Affected Versions	Patched Versions
FortiOS	7.0.0 – 7.0.16	7.0.17+
FortiProxy	7.0.0 – 7.0.19	7.0.20+
FortiProxy	7.2.0 – 7.2.12	7.2.13+

Workarounds (if patching is delayed):

• Disable the Security Fabric via CLI: textconfig system csf set status disable end
• Restrict administrative access using local-in policies.
• Follow CISA’s BOD 22-01 guidance for cloud service hardening.

Industry Warnings

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on March 18, 2025, urging organizations to apply patches immediately, citing “substantial risks” of operational and financial damage.

Arctic Wolf and Forescout confirmed mass exploitation attempts, with attackers targeting unpatched devices within days of proof-of-concept exploit releases.

Stefan Hostetler of Arctic Wolf emphasized, “Cybercriminals are capitalizing on delayed patching cycles, making firewalls and VPNs prime targets due to their internet-facing nature”.

The Fortinet vulnerabilities underscore the critical need for proactive patch management in network security.

With ransomware groups like Mora_001 weaponizing these flaws, organizations must prioritize updates, restrict administrative interfaces, and monitor for indicators of compromise (IoCs) such as unauthorized admin accounts or SSL VPN changes.

Failure to act risks catastrophic breaches, as highlighted by CISA’s unprecedented advisory.

Also Read:

Cloudflare Enhances Security with Post-Quantum Cryptography Against Quantum Attacks

The post CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited appeared first on Cyber Security News.

A newly identified cybersecurity threat involves attackers embedding malicious Word files within PDFs to deceive detection systems. This technique, confirmed by JPCERT/CC, exploits the fact that files created using MalDoc in PDF can be opened in Microsoft Word, even though they possess the magic numbers and structure of PDF files. If these files contain macros […]

The post Attackers Hide Malicious Word Files Inside PDFs to Evade Detection appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.