Automated Attacks with BRUTED Tool Expand Threat Actor's Reach
As reported by Bleeping Computer, ransomware gang Black Basta has developed a sophisticated, automated brute-forcing framework known as “BRUTED,” specifically engineered to compromise edge networking devices such as firewalls and VPN services.
Discovered by EclecticIQ researcher Arda Büyükkaya after analyzing leaked internal communications of the ransomware group, BRUTED has been actively used since 2023. The tool enables Black Basta to execute credential-stuffing and brute-force attacks at scale, significantly streamlining initial network access and amplifying their ransomware operations.
Targeted Devices and Attack Techniques
BRUTED targets prominent remote-access products, including SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb, and WatchGuard SSL VPN. The framework identifies publicly accessible edge devices by enumerating subdomains, resolving their IP addresses, and adding standard prefixes like ‘.vpn’ or ‘.remote’ to discover potential entry points. Once targets are located, BRUTED fetches password lists from remote servers and generates additional local guesses, leveraging multiple simultaneous processes to rapidly attempt authentications.
Detailed analysis of BRUTED’s source code revealed that the framework uses tailored request headers and user-agent strings specifically crafted for each targeted device, enhancing attack effectiveness. Additionally, BRUTED can extract valuable information from SSL certificates—such as Common Names (CN) and Subject Alternative Names (SAN)—to create more contextually relevant password guesses based on organizational domain conventions.
Black Basta cleverly employs a series of SOCKS5 proxy servers with obfuscated domain names, effectively masking the ransomware operation’s true infrastructure, primarily hosted on servers located in Russia and registered under Proton66 (AS 198953). EclecticIQ’s findings correlate with reports throughout 2024 highlighting large-scale brute-force and credential-stuffing attacks targeting edge devices, some potentially attributable to BRUTED or similar frameworks.
Recommended Defense Strategies
To defend against frameworks like BRUTED, security teams should implement layered defense strategies to effectively protect their networks and reduce exposure to such targeted attacks. We recommend that you implement the following protective measures to guard against these strategies:
-
Enforce strong, unique passwords: Use complex, lengthy passwords for all edge devices and VPN accounts to prevent credential-stuffing attacks.
-
Implement multi-factor authentication (MFA): Adding MFA drastically reduces the risk of unauthorized access even if credentials are compromised.
-
Monitor authentication attempts: Regularly track and analyze login attempts from unknown or unexpected locations.
-
Set up alerts for high-volume login failures: Immediate notifications for multiple failed login attempts can indicate active brute-force attacks.
-
Establish rate-limiting: Limit the number of allowed login attempts from individual IP addresses within short periods to reduce brute-force effectiveness.
-
Regular security patching: Ensure all edge networking devices and VPN services are kept updated with the latest security patches and firmware updates to mitigate exploitation risks.
These proactive steps not only prevent unauthorized access but also strengthen overall cybersecurity posture, enabling organizations to respond more effectively to cyber threats presented by Black Basta and similar ransomware operations.
