Ransomware Gang Creates Tool to Automate VPN Brute-Force Attacks
Summary:
EclecticIQ security researcher Arda Byukkaya has uncovered details of a novel framework, dubbed ‘BRUTED,’ which the Black Basta ransomware gang has used since 2023 to conduct large-scaled credential-stuffing and brute force attacks against edge network devices. BRUTED is capable of brute-force credentials on the following VPN and remote-access products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN. The framework identifies publicly accessible edge networking devices by scanning subdomains, resolving IP addresses, and appending common prefixes like ".vpn" or "remote." Once potential targets are found, BRUTED retrieves password candidates from a remote server and combines them with locally generated guesses to perform multiple authentication attempts. According to Byukkaya, BRUTED can extract Common Name and Subject Alternative Names from the SSL certificates of targeted devices, further using this information to refine its password guessing based on the target’s domain and naming patterns. Additionally, to avoid detection, the framework leverages a list of SOCKS5 proxies with obfuscated domain names, effectively masking the attacker's infrastructure, which in this case compromises of multiple servers from Russia.
Security Officer Comments:
EclecticIQ uncovered the BRUTED framework after analyzing internal Black Basta chat logs, which were recently leaked by a Russian-speaking actor known as “ExploitWhispers” on Telegram. Overall, the use of a framework like BRUTED has significantly enhanced the efficiency and reach of the Black Basta ransomware operation, allowing it to carry out targeted attacks with greater speed and effectiveness. BRUTED enables the brute-forcing of various firewalls, VPN and remote access products, which are commonly deployed by organizations worldwide to facilitate secure remote connections for employees. By exploiting weak or compromised credentials in these edge devices, the framework allows Black Basta actors to swiftly gain unauthorized access to organizational networks. Once inside, the attackers can deploy their ransomware strain, locking up critical systems and demanding ransom payments from the victimized organizations.
Suggested Corrections:
Ensure Up-to-Date Firmware & Patch Management
https://www.bleepingcomputer.com/ne...e-creates-automated-tool-to-brute-force-vpns/
EclecticIQ security researcher Arda Byukkaya has uncovered details of a novel framework, dubbed ‘BRUTED,’ which the Black Basta ransomware gang has used since 2023 to conduct large-scaled credential-stuffing and brute force attacks against edge network devices. BRUTED is capable of brute-force credentials on the following VPN and remote-access products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN. The framework identifies publicly accessible edge networking devices by scanning subdomains, resolving IP addresses, and appending common prefixes like ".vpn" or "remote." Once potential targets are found, BRUTED retrieves password candidates from a remote server and combines them with locally generated guesses to perform multiple authentication attempts. According to Byukkaya, BRUTED can extract Common Name and Subject Alternative Names from the SSL certificates of targeted devices, further using this information to refine its password guessing based on the target’s domain and naming patterns. Additionally, to avoid detection, the framework leverages a list of SOCKS5 proxies with obfuscated domain names, effectively masking the attacker's infrastructure, which in this case compromises of multiple servers from Russia.
Security Officer Comments:
EclecticIQ uncovered the BRUTED framework after analyzing internal Black Basta chat logs, which were recently leaked by a Russian-speaking actor known as “ExploitWhispers” on Telegram. Overall, the use of a framework like BRUTED has significantly enhanced the efficiency and reach of the Black Basta ransomware operation, allowing it to carry out targeted attacks with greater speed and effectiveness. BRUTED enables the brute-forcing of various firewalls, VPN and remote access products, which are commonly deployed by organizations worldwide to facilitate secure remote connections for employees. By exploiting weak or compromised credentials in these edge devices, the framework allows Black Basta actors to swiftly gain unauthorized access to organizational networks. Once inside, the attackers can deploy their ransomware strain, locking up critical systems and demanding ransom payments from the victimized organizations.
Suggested Corrections:
Ensure Up-to-Date Firmware & Patch Management
- Apply security patches for firewalls, VPNs, and remote access solutions immediately to mitigate known vulnerabilities.
- Regularly monitor CISA’s Known Exploited Vulnerabilities (KEV) catalog and vendor advisories for emerging threats.
- Enforce strong, unique passwords for all edge devices and VPN accounts.
- Implement password complexity requirements to prevent brute-force and credential-stuffing attacks.
- Mandate regular password rotation, especially for privileged accounts.
- Implement geo-blocking to prevent access from unauthorized regions.
- Turn off unnecessary remote management services such as Telnet, FTP, or outdated SNMP versions.
- Disable default accounts that are not needed.
- Use role-based access control (RBAC) to limit administrative privileges.
- Avoid using company names, domains, or predictable words in SSL certificate fields.
- Use generic, non-descriptive values for Common Name (CN) and Subject Alternative Names (SAN) instead of exposing internal service names.
- Example: Instead of vpn.companyname.com, use randomized subdomains like access-secure-324.com.
https://www.bleepingcomputer.com/ne...e-creates-automated-tool-to-brute-force-vpns/