Stay updated with the latest Cybersecurity News on our TecnetBlog.

Black Basta Releases VPN Brute-Force Attack Tool

Written by Gustavo Sánchez | Mar 14, 2025 10:35:35 PM

The Black Basta ransomware operation has created an automated framework called 'BRUTED', designed to carry out brute force attacks on perimeter network devices such as firewalls and VPN connections. This tool enables cybercriminals to streamline initial access to enterprise networks and rapidly escalate attacks on vulnerable systems exposed to the internet.

This development poses a serious threat to businesses and organizations that rely on VPNs to secure their data and communications. With an automated and highly effective approach, Black Basta has refined its infiltration techniques, putting critical infrastructure at significant risk.

Throughout 2024, multiple large-scale brute force and password spraying attacks targeting these devices have been reported. Some of these incidents may be linked to the BRUTED operation or similar tactics.

 

Automated Brute Force Attacks

 

Since 2023, the Black Basta ransomware group has been using an automated tool called BRUTED to conduct large-scale brute force and credential stuffing attacks on perimeter network devices.

Analysis of the tool's source code reveals that BRUTED was specifically designed to target credentials on a range of VPN and remote access platforms, including:

 

  1. SonicWall NetExtender

  2. Palo Alto GlobalProtect

  3. Cisco AnyConnect

  4. Fortinet SSL VPN

  5. Citrix NetScaler (Citrix Gateway)

  6. Microsoft RDWeb (Remote Desktop Web Access)

  7. WatchGuard SSL VPN

 

This advanced tool has become a powerful weapon for ransomware operators, enabling them to automate attacks and expand their reach with minimal effort. Businesses that rely heavily on VPNs for secure remote access should take immediate steps to strengthen their defenses against this growing threat.

 

 

How BRUTED Works?: Automated Brute Force Attacks

 

The BRUTED tool is designed to search for publicly exposed perimeter network devices that match a predefined target list. To locate these devices, it generates combinations of subdomains, resolves IP addresses, and adds prefixes such as .vpn or .remote during its searches. When a match is found, the tool sends the information to a command and control (C2) server.

Once potential targets are identified, BRUTED retrieves a list of possible passwords from a remote server and combines them with locally generated guesses. It then launches multiple authentication attempts using several CPU processes to maximize its chances of success.

Analysis reveals that the tool employs specific request headers and user agents for each targeted device, enhancing the precision of the attack. Additionally, BRUTED can extract key information from SSL certificates of selected devices, such as Common Names (CN) and Subject Alternative Names (SAN). This tactic allows the tool to generate additional password guesses based on the target’s domain and typical naming conventions, further increasing its chances of successfully compromising the system.

 

 

To avoid detection, BRUTED uses a list of SOCKS5 proxy servers configured with domain names that appear legitimate. This tactic helps conceal the attacker’s true infrastructure behind an intermediate layer.

The primary infrastructure for this operation is located in Russia and is registered under the name Proton66 (AS 198953).

Interestingly, leaked chat logs revealed internal conversations where group members discussed server downtime caused by unpaid fees. Eventually, they managed to renew the services, highlighting that even ransomware gangs face logistical issues in their day-to-day operations.

 

Read more: What is a Cyberattack?

 

How to Protect Yourself from Brute Force Attacks

 

Tools like BRUTED make it easier for cybercriminals to target multiple networks simultaneously with minimal effort. Naturally, this increases their chances of profiting through ransomware attacks. To protect yourself, it's crucial to follow some key best practices:

 

  1. Use strong and unique passwords for your perimeter devices and VPN accounts.

  2. Enable multi-factor authentication (MFA); this prevents attackers from accessing accounts even if they manage to steal your credentials.

 

Additionally, it's important to:

 

  1. Monitor suspicious login attempts, especially those coming from unknown locations or involving multiple consecutive failures.
  2. Implement rate limiting and account lockout policies to slow down automated attacks.

 

It's also recommended to block requests from known malicious IPs and domains by setting up specific firewall rules designed to filter this type of traffic.

 

Advanced Cybersecurity Solutions

 

Having an advanced cybersecurity solution that includes anti-ransomware protection is crucial. Solutions like TecnetProtect provide active defense against such threats using AI-based technology that analyzes process behavior in real time. These solutions can identify suspicious patterns, such as the mass encryption of files, and stop the attack before significant damage occurs.

In addition, these solutions often integrate automated and encrypted backups, ensuring that even in the event of a successful attack, critical data can be recovered without paying a ransom.

While BRUTED doesn’t exploit specific vulnerabilities to breach network devices, keeping your systems updated with the latest security patches remains a key measure to reduce risks.

Combining good security practices, advanced protection tools, and a proactive security strategy is the best defense against threats like these.