The Black Basta ransomware group has developed an automated brute-forcing framework, dubbed ‘BRUTED,’ to infiltrate edge networking devices such as firewalls and Virtual Private Networks (VPNs). This tool streamlines their initial network access, enabling more efficient ransomware attacks on vulnerable internet-exposed endpoints.
BRUTED has been operational since 2023, conducting large-scale credential-stuffing and brute-force attacks on various VPN and remote-access products, including:
- SonicWall NetExtender
- Palo Alto GlobalProtect
- Cisco AnyConnect
- Fortinet SSL VPN
- Citrix NetScaler (Citrix Gateway)
- Microsoft RDWeb (Remote Desktop Web Access)
- WatchGuard SSL VPN
The framework identifies publicly accessible devices by enumerating subdomains, resolving IP addresses, and appending prefixes like ‘.vpn’ or ‘remote.’ It retrieves password candidates from a remote server and combines them with locally generated guesses to execute numerous authentication requests simultaneously.
To evade detection, BRUTED utilizes a list of SOCKS5 proxies, masking the attacker’s infrastructure behind an intermediate layer. The primary infrastructure is located in Russia and is registered under Proton66 (AS 198953).
Mitigation Measures
Organizations can defend against such brute-forcing attempts by implementing the following measures:
- Enforce Strong, Unique Passwords: Ensure all edge devices and VPN accounts use complex passwords to reduce the risk of successful brute-force attacks.
- Enable Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security, making unauthorized access more challenging even if credentials are compromised.
- Monitor Authentication Attempts: Regularly review logs for authentication attempts from unknown locations and high-volume login failures.
- Implement Rate-Limiting and Account Lockout Policies: These measures can slow down or block automated brute-force attempts.
- Apply Security Updates Promptly: Keep all devices up-to-date with the latest security patches to mitigate known vulnerabilities.
