Hack group Black Basta has developed its own tool for automating brute force
Researchers have noticed that the Black Basta ransomware group has developed its own automated brute-force platform, called BRUTED, which is used to hack edge network devices such as firewalls and VPNs.
According to EclecticIQ, BRUTED was discovered while analyzing the group's chat logs that were recently leaked online. This framework allowed hackers to simplify initial access to networks and scale ransomware attacks on vulnerable endpoints. According to experts, Black Basta has been using the BRUTED platform since 2023 to conduct large-scale credential-stuffing and brute-force attacks.
Analysis of the source code showed that the framework is specifically designed to brute force credentials in the following products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN.
The framework discovers publicly accessible edge network devices that match a target list by enumerating subdomains, resolving IP addresses, and adding prefixes like .vpn and remote. Information about matches is transmitted to the command and control server.
Once potential targets have been identified, BRUTED fetches possible passwords from a remote server and combines them with locally generated guesses to perform multiple authentication requests across multiple CPU processes, using specific request headers and user agents for each target device.
According to a report by EclecticIQ, BRUTED can extract Common Name (CN) and Subject Alternative Names (SAN) from target devices' SSL certificates, which helps generate additional possible password variations based on domain and naming conventions.
To avoid detection, the framework uses a number of SOCKS5 proxies with the domain name <...>fuck-you-usa[.]com, which masks the attackers' infrastructure. The researchers note that the main infrastructure includes several servers located in Russia and is registered as Proton66 (AS 198953).
Experts conclude that tools like BRUTED make ransomware easier to operate, allowing hackers to infiltrate multiple networks at once with minimal effort, ultimately increasing the attackers' monetization opportunities.
The key strategy for protecting against such threats, researchers say, is using strong and unique passwords for all edge devices and VPN accounts, as well as multi-factor authentication (MFA) to block access even if credentials are compromised.