Automated brute forcing tool leveraged in Black Basta ransomware intrusions

VPNs, firewalls, and other edge network devices have been infiltrated by the Black Basta ransomware gang through its proprietary BRUTED automated brute-forcing tool since 2023, reports BleepingComputer.

After searching for online Microsoft Remote Desktop Web Access, SonicWall NetExtender, Cisco AnyConnect, Fortinet SSL VPN, Palo Alto GlobalProtect, Citrix NetScaler, and WatchGuard SSL VPN instances via subdomain enumeration, IP address resolution, and prefix inclusion, BRUTED consolidated password candidates and locally generated credentials to facilitate numerous authentication requests, according to an investigation from EcleticIQ, which identified the brute-forcing framework after examining the ransomware operation's exposed internal chats.

Aside from enabling SSL Common Name and Subject Alternative Name extraction for further generation of speculative credentials, BRUTED also sought to obfuscate its Russia-based infrastructure through SOCKS5 proxies.

Such findings emphasize the emergence of more sophisticated adversarial tools and should prompt organizations to implement a more robust security strategy implementing unique edge device and VPN account passwords, as well as multi-factor authentication.