The Black Basta ransomware operation has created an automated framework called 'BRUTED', designed to carry out brute force attacks on perimeter network devices such as firewalls and VPN connections. This tool enables cybercriminals to streamline initial access to enterprise networks and rapidly escalate attacks on vulnerable systems exposed to the internet.
This development poses a serious threat to businesses and organizations that rely on VPNs to secure their data and communications. With an automated and highly effective approach, Black Basta has refined its infiltration techniques, putting critical infrastructure at significant risk.
Throughout 2024, multiple large-scale brute force and password spraying attacks targeting these devices have been reported. Some of these incidents may be linked to the BRUTED operation or similar tactics.
Since 2023, the Black Basta ransomware group has been using an automated tool called BRUTED to conduct large-scale brute force and credential stuffing attacks on perimeter network devices.
Analysis of the tool's source code reveals that BRUTED was specifically designed to target credentials on a range of VPN and remote access platforms, including:
This advanced tool has become a powerful weapon for ransomware operators, enabling them to automate attacks and expand their reach with minimal effort. Businesses that rely heavily on VPNs for secure remote access should take immediate steps to strengthen their defenses against this growing threat.
The BRUTED tool is designed to search for publicly exposed perimeter network devices that match a predefined target list. To locate these devices, it generates combinations of subdomains, resolves IP addresses, and adds prefixes such as .vpn
or .remote
during its searches. When a match is found, the tool sends the information to a command and control (C2) server.
Once potential targets are identified, BRUTED retrieves a list of possible passwords from a remote server and combines them with locally generated guesses. It then launches multiple authentication attempts using several CPU processes to maximize its chances of success.
Analysis reveals that the tool employs specific request headers and user agents for each targeted device, enhancing the precision of the attack. Additionally, BRUTED can extract key information from SSL certificates of selected devices, such as Common Names (CN) and Subject Alternative Names (SAN). This tactic allows the tool to generate additional password guesses based on the target’s domain and typical naming conventions, further increasing its chances of successfully compromising the system.
To avoid detection, BRUTED uses a list of SOCKS5 proxy servers configured with domain names that appear legitimate. This tactic helps conceal the attacker’s true infrastructure behind an intermediate layer.
The primary infrastructure for this operation is located in Russia and is registered under the name Proton66 (AS 198953).
Interestingly, leaked chat logs revealed internal conversations where group members discussed server downtime caused by unpaid fees. Eventually, they managed to renew the services, highlighting that even ransomware gangs face logistical issues in their day-to-day operations.
Read more: What is a Cyberattack?
Tools like BRUTED make it easier for cybercriminals to target multiple networks simultaneously with minimal effort. Naturally, this increases their chances of profiting through ransomware attacks. To protect yourself, it's crucial to follow some key best practices:
Additionally, it's important to:
It's also recommended to block requests from known malicious IPs and domains by setting up specific firewall rules designed to filter this type of traffic.
Having an advanced cybersecurity solution that includes anti-ransomware protection is crucial. Solutions like TecnetProtect provide active defense against such threats using AI-based technology that analyzes process behavior in real time. These solutions can identify suspicious patterns, such as the mass encryption of files, and stop the attack before significant damage occurs.
In addition, these solutions often integrate automated and encrypted backups, ensuring that even in the event of a successful attack, critical data can be recovered without paying a ransom.
While BRUTED doesn’t exploit specific vulnerabilities to breach network devices, keeping your systems updated with the latest security patches remains a key measure to reduce risks.
Combining good security practices, advanced protection tools, and a proactive security strategy is the best defense against threats like these.