The operation of ransomware Qilin —also known as Phantom Mantis— has begun to exploit actively the critical vulnerability CVE-2024-55591 and CVE-2024-21762 in devices Fortinet, affecting both firewalls FortiGate as FortiProxy. These flaws allow remote code execution and avoidance of probate, and have already been exploited in attacks partially automated against organizations, especially in Spanish-speaking countries.
Repeat: Qilin and Fortinet are in the center of the attacks, most critics of the time.
Qilin: a ransomware becoming more sophisticated
Qilin, which operates as Ransomware-as-a-Service (RaaS) from 2022 (previously known as "Agenda"), it has committed more than 310 victimsincluding critical infrastructure such as the British NHS. The current campaign, active since may 2025, has escalated rapidly thanks to a flow of automated attack it only requires manual selection of victims.
CVE-2024-55591 and CVE-2024-21762: two vectors critics
- CVE-2024-55591 it was already exploited as zero-day since November 2024 actors Mora_001affiliate LockBit and SuperBlack.
- CVE-2024-21762included in the catalog KEV CISA, it continues to affect tens of thousands of devices exposed at the global level.
Persistence and evasion of the group of ransomware
Fortinet has been alerted persistence post-commitment by using malicious files that survive even after applying patches.
The malware Qilin, developed in Golang and Rustuses techniques such as:
- Injection of processes
- Scheduled tasks
- Reboot in safe mode
These capabilities make it difficult to greatly detection and the effective response.
Fortinet: a historical
Fortinet has been a frequent target campaigns spying and ransomware. Cases such as that of Volt Typhoon, which exploited vulnerabilities in FortiOS SSL VPN against military networks, reinforce the seriousness of this attack vector.
Recommendations Amber Solutions
At Amber Solutionswe recommend a comprehensive defense to anticipate campaigns such as Qilin:
- Penetration Testing to discover vectors actual entry.
- Threat Hunting to detect persistence or anomalous activity.
- Response Examiner to eliminate artifacts that malicious resist the patch.
- CTI custom in order to anticipate the tactics and specific actors
