Büyükkaya says Black Basta has been using the automated BRUTED platform since 2023 to conduct large-scale credential-stuffing and brute-force attacks on edge network devices. The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs. The EclecticIQ report says BRUTED can extract Common Name (CN) and Subject Alternative Names (SAN) from the SSL certificates of targeted devices, which helps generate additional password guesses based on the target's domain and naming conventions. The framework searches for publicly accessible edge networking devices matching the targets list by enumerating subdomains, resolving IP addresses, and appending prefixes like '.vpn' or 'remote.' Matches are reported back to the command-and-control (C2) server. Analysis of the source code indicates that the framework was specifically designed to brute-force credentials on the following VPN and remote-access products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN. The discovery of BRUTED comes from EclecticIQ researcher Arda Büyükkaya following an in-depth examination of the ransomware gang's leaked internal chat logs. While BRUTED does not exploit any vulnerabilities to breach network edge devices, it is still crucial to keep those devices up-to-date by applying the latest security updates. Several reports of large-scale brute-forcing and password spray attacks against those devices throughout 2024, some of which might be linked to BRUTED or similar-origin operations. Once potential targets are identified, BRUTED retrieves password candidates from a remote server and combines them with locally generated guesses to execute many authentication requests via multiple CPU processes. Büyükkaya shared the source code with BleepingComputer, which shows how the tool utilizes specific request headers and user agents for each targeted device in the brute force attacks. A key defense strategy is to enforce strong, unique passwords for all edge devices and VPN accounts and use multi-factor authentication (MFA) to block access even when credentials are compromised. Leaked chat logs also revealed internal discussions about server downtime due to unpaid fees, which were later renewed, giving us a glimpse of the day-to-day operations ransomware gangs have to deal with. The framework has enabled BlackBasta to streamline initial network access and scale ransomware attacks on vulnerable internet-exposed endpoints. Tools like BRUTED streamline ransomware operations by breaching many networks at once with minimal effort, increasing the monetization opportunities for threat actors. ElecticIQ has shared a list of IPs and domains used by BRUTED that can be used to create new firewall rules that block requests from known malicious infrastructure.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 14 Mar 2025 16:55:14 +0000