Thought Leadership
The ransomware group BlackBasta has developed a powerful tool to automate brute force attacks on edge network devices such as firewalls and VPNs. The framework, called “BRUTED”, allows attackers to crack targeted credentials and scale ransomware attacks on vulnerable networks.
BlackBasta and the development of BRUTED
Security researchers from EclecticIQ came across the tool while examining the group’s internal chat logs. Their analysis shows that BRUTED has been active since 2023 and has been carrying out large-scale attacks on various remote access products. The affected systems include SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb and WatchGuard SSL VPN.
How the brute force framework works
BRUTED identifies potential targets by listing publicly accessible devices based on specific subdomains or IP addresses. The tool analyzes specific designations such as “.vpn” or “remote” and transmits hits to a command-and-control server (C2). As soon as suitable targets are identified, BRUTED retrieves password lists from an external server, combines them with locally generated variants and launches automated brute force attacks. The framework uses several CPU processes to maximize efficiency.
A particularly dangerous aspect of the tool is its ability to extract Common Name (CN) and Subject Alternative Names (SAN) from SSL certificates of target devices. This allows it to generate additional password suggestions based on the company’s domain and naming conventions to increase the likelihood of successful attacks.
Attackers’ concealment tactics and infrastructure
To avoid detection, BRUTED uses a list of SOCKS5 proxies with inconspicuous domain names. This conceals the true infrastructure of the attackers. According to EclecticIQ’s analysis, several servers in Russia registered under the name Proton66 (AS 198953) are involved. This indicates that the threat actors are well organized and purposefully disguise their infrastructure to make prosecution more difficult.
Threat potential and protective measures
Brute force attacks are nothing new, but automation through BRUTED significantly increases the potential threat. The combination of scalability, intelligent target detection and efficient password generation minimizes the effort for cyber criminals while increasing the chances of success.
Companies and organizations should therefore focus more on security measures to protect themselves against such attacks. These include:
- Strong, unique passwords for all Edge devices and VPN accounts.
- Multi-factor authentication (MFA) to prevent unauthorized access, even if access data has been compromised.
- Regular security updates for network devices to close known vulnerabilities.
- Monitoring and logging of login attempts to detect unusual activities at an early stage.
The increasing professionalization of cybercrime through automation tools such as BRUTED shows how important it is to continuously adapt security strategies and take proactive action against new threats.
(vp/8com GmbH & Co. KG)
