BRUTED: Automated Ransomware Attacks

2025-03-17 Recent Data Breaches 16

Summary

The Black Basta ransomware gang developed BRUTED, a tool automating brute-force attacks on VPNs and firewalls. This framework streamlines network access and scales ransomware attacks. Organizations must bolster their security measures to protect against this evolving threat.

Explore the data solution with built-in protection against ransomware TrueNAS.

** Main Story**

The Black Basta ransomware operation has developed a new tool, BRUTED, to automate brute-force attacks against Virtual Private Networks (VPNs) and firewalls. This discovery comes from EclecticIQ researcher Arda Büyükkaya, who analyzed leaked internal chat logs and source code from the Black Basta group. BRUTED enables the ransomware gang to gain initial access to corporate networks more efficiently and scale their attacks against vulnerable internet-exposed endpoints.

BRUTED: Automating Cyberattacks

Büyükkaya’s analysis reveals that Black Basta has used BRUTED since 2023 for large-scale credential stuffing and brute-force attacks. The framework targets several popular VPN and remote-access products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN. The tool works by searching for publicly accessible edge networking devices through subdomain enumeration, IP resolution, and prefixes like ‘.vpn’ or ‘remote.’ Once identified, potential targets are reported back to the command-and-control (C2) server.

How BRUTED Works

BRUTED then retrieves password candidates from a remote server, combining them with locally generated guesses to perform numerous authentication requests across multiple CPU processes. The tool uses specific request headers and user agents for each targeted device, increasing the effectiveness of the brute-force attacks. Furthermore, BRUTED extracts information from SSL certificates, such as Common Name (CN) and Subject Alternative Names (SAN), to generate additional password guesses based on domain names and naming conventions. To evade detection, the framework employs SOCKS5 proxies to conceal the attackers’ infrastructure.

Protecting Your Organization Against BRUTED

While BRUTED doesn’t exploit specific vulnerabilities, it highlights the critical need for robust security measures. Organizations can take the following steps to protect themselves against these automated brute-force attacks:

  • Strong Passwords and Multi-Factor Authentication (MFA): Enforce strong, unique passwords for all accounts and implement MFA wherever possible, adding an extra layer of security to prevent unauthorized access even if credentials are compromised.
  • Regular Patching and Updates: Keep all software and systems, including VPNs, firewalls, and operating systems, up-to-date with the latest security patches. This minimizes vulnerabilities that attackers might exploit.
  • Network Segmentation and Access Control: Segment your network to limit the impact of a breach. Implement strict access controls to ensure users only have access to the resources they need.
  • Security Audits and Vulnerability Scanning: Conduct regular security audits and vulnerability scans to identify and address potential weaknesses in your network infrastructure.
  • Intrusion Detection and Prevention Systems: Implement intrusion detection and prevention systems to monitor network traffic for suspicious activity and block malicious attempts.
  • Security Awareness Training: Train employees to recognize and avoid phishing attacks and other social engineering tactics that attackers often use to steal credentials.
  • Incident Response Plan: Develop a comprehensive incident response plan to guide your actions in case of a ransomware attack. This includes procedures for backup and recovery, communication, and containment.
  • Regular Backups: Maintain regular offline backups of critical data to ensure you can recover your information if it becomes encrypted by ransomware.

The emergence of BRUTED underscores the evolving tactics of ransomware gangs and the need for organizations to proactively strengthen their cybersecurity defenses. By implementing these security measures, businesses can significantly reduce their risk of falling victim to automated brute-force attacks and ransomware. As of March 17, 2025, this information is current but may change as new threats emerge. Regularly reviewing and updating your security practices is crucial for maintaining a strong defense.

16 Comments

  1. Given BRUTED’s reliance on password guessing, how effective are common password complexity policies against mitigating this threat, and what alternative strategies might offer better protection?

    • That’s a great point! While password complexity policies help, they aren’t foolproof. Multi-factor authentication (MFA) significantly raises the bar. Also, adaptive authentication, which analyzes user behavior and device characteristics, can offer better protection against brute-force attacks like those using BRUTED. It’s about layering security measures for a robust defense!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  2. BRUTED grabbing SSL cert info to guess passwords based on domain names? That’s some next-level dedication to password cracking! Suddenly, my cat’s name + “123” doesn’t seem quite as secure as I thought. Time to rename her “j5aZ&9pL” maybe?

    • That’s right! BRUTED’s use of SSL cert info shows how attackers are leveraging easily accessible data. The domain name correlation is a clever approach. Definitely time to rethink those pet-name-based passwords. A strong, unique password (or “j5aZ&9pL”) and MFA are crucial!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  3. BRUTED sounds like a real go-getter! Password guessing from SSL certificates? Are we sure it’s not sentient and just trying to understand our naming conventions for world domination? Maybe we should offer it a job in marketing instead?

    • That’s a hilarious take! BRUTED applying for a marketing role is a thought. It does highlight how much information is readily available from SSL certificates. Maybe we need to rethink what data we expose on them. World domination via marketing… now that’s a campaign!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  4. BRUTED’s capability to target multiple VPNs highlights the broad attack surface many organizations expose. The mentioned reliance on subdomain enumeration is also a stark reminder of the need for meticulous external asset management and monitoring for potential vulnerabilities.

    • Thanks for highlighting the importance of meticulous external asset management! It’s often overlooked, but subdomain enumeration can reveal a surprising amount of information. Regular audits and monitoring are definitely crucial for identifying and mitigating potential vulnerabilities before they can be exploited. Let’s keep the discussion going!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  5. BRUTED targeting VPNs? Suddenly, my dreams of working remotely from a tropical beach with questionable Wi-Fi seem a tad riskier. I guess I’ll stick to spreadsheets and strong passwords for now!

    • Haha! I completely understand. Maybe that beach can have a dedicated, secure VPN router just for you. The dream is still alive with a little extra security! Remember to check the VPN’s security too, especially on those questionable Wi-Fi networks. Safe travels (and safe browsing)!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  6. BRUTED… because manually trying passwords is just *so* last year. Makes you wonder what automated evil genius tool they’ll dream up next. Time to up our game!

    • Absolutely! It’s fascinating (and a little scary) to see how sophisticated these tools are becoming. BRUTED is a reminder we constantly need to think ahead of the curve and proactively adapt our security strategies. Let’s share ideas on how to stay one step ahead!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  7. BRUTED’s ability to target multiple VPN solutions underscores the importance of diverse security assessments. Penetration testing should simulate these automated attacks to identify vulnerabilities across different access points and ensure comprehensive protection.

    • That’s a great point about diverse security assessments! Simulating these attacks via penetration testing really helps to stress-test defenses across different VPN access points. It’s about proactively finding those weak spots before attackers do and ensuring that comprehensive protection is in place.

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  8. BRUTED – automating brute-force attacks! It’s almost… efficient? Makes me wonder if they offer consulting services on *defending* against such attacks? Asking for a friend, of course.

    • That’s a funny thought! While I doubt they offer defense consulting, it highlights an important need. Maybe ethical hacking firms could learn from these attack methods and offer even better defensive strategies. Understanding the attacker’s mindset is crucial in building effective security.

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

Comments are closed.