The Qilin Ransomware Operation has recently involved in attacks exploiting two Fortinet weaknesses that allow to bypass authentication on weak devices and perform malicious codes remotely.
In August 2022, Kyulin (also tracked as Phantom Mentis) as the Rainmware-e-A-Service (RAAS) operation under the name “Agenda” came out and has since claimed responsibility for more than 310 victims on its dark web leak site.
Its aggrieved list also includes high-profile organizations, such as automotive veteran Yangfeng, publication veteran Lee Enterprises, Australia’s Court Services Victoria and Pathology Services Provider Sinovis. The Synnovis incident affected several major NHS hospitals in London, forcing them to cancel hundreds of appointments and operations.
Threat Intelligence Company Prudft, who targeted these new and partially automated Quulin ransomware attacks, targeting several fortinet defects, it was discovered that the danger actors are currently focusing on organizations of Spanish speaking countries, but they hope that the campaign is to expand worldwide.
“Phantom Mentis recently launched a coordinated intrusion campaign targeting several organizations between May and June 2025. We assess with medium belief that CVE -2024-21762, CVE -2024-55591 and others are getting initial access by exploiting many foretigate weaknesses, including other fortegate weaknesses,” ” Proudft says Shared with bleepingcomputer in a private flash alert.
“Our comments indicate a special interest in Spanish speaking countries, as reflected in the data presented in the table below. However, despite this regional focus, we assess that the group continues to choose their goals in rather than following a strict geographical or region-based targeting pattern.”
One of the misconduct in this campaign was tracked as CVE-2024-55591, also exploited as zero-day by other threats groups. Breach Fortigate Firewall Back until November 2024. The Mora_001 Rainsmware operator has also used it to deploy superblack ransomware strain by researchers associated with the notorious lockbit cybercrime gang.
The second fortinet vulnerability was exploited in February in these Kilin Rainmware attacks (CVE-2024-21762), CISA added it to its list of exploited security defects actively to secure its Fortios and Cortiproxy equipment till 16 February.
Nearly a month later, The Shadowsever Foundation announced that it found that around 150,000 devices were still unsafe for the CVE-2024–21762 attacks.
Cortinet security weaknesses are often exploited in cyber espionage operations (often as zero days) and to dissolve the corporate network in rangesware attacks.
For example, in February, Fortinet exposure The Chinese Volt Typhoon Hacking Group used two Fortios SSL VPN Flaws (CVE-20222-42475 and Cve-2023-27997) to deploy the Cotnner Custom Remote Remote Access Trojan (RAT) malware, used for the first Dach Ministry Network.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
