Ransomware, Threat Intelligence, Network Security, Identity

Automated brute forcing tool leveraged in Black Basta ransomware intrusions

Brute-force attack - hacker password protection security red aler

VPNs, firewalls, and other edge network devices have been infiltrated by the Black Basta ransomware gang through its proprietary BRUTED automated brute-forcing tool since 2023, reports BleepingComputer.

After searching for online Microsoft Remote Desktop Web Access, SonicWall NetExtender, Cisco AnyConnect, Fortinet SSL VPN, Palo Alto GlobalProtect, Citrix NetScaler, and WatchGuard SSL VPN instances via subdomain enumeration, IP address resolution, and prefix inclusion, BRUTED consolidated password candidates and locally generated credentials to facilitate numerous authentication requests, according to an investigation from EcleticIQ, which identified the brute-forcing framework after examining the ransomware operation's exposed internal chats.

Aside from enabling SSL Common Name and Subject Alternative Name extraction for further generation of speculative credentials, BRUTED also sought to obfuscate its Russia-based infrastructure through SOCKS5 proxies.

Such findings emphasize the emergence of more sophisticated adversarial tools and should prompt organizations to implement a more robust security strategy implementing unique edge device and VPN account passwords, as well as multi-factor authentication.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds