In the Black Basta ransomware group, an automated brute force attack tool referred to as BRUTED has been developed to target and compromise edge networking devices such as firewalls and VPNs, as well as other edge networking devices. By using this sophisticated tool, they can efficiently breach vulnerable internet-facing endpoints, making them able to scale ransomware attacks considerably better than ever before.
A researcher at EclecticIQ identified the presence of BRUTED when she analyzed internal chat logs related to the ransomware gang, and she found that BRUTED exists. These logs were used to reveal insight into the tool's deployment and revealed that Black Basta has been employing BRUTED to conduct credential-stuffing and brute-force attacks since 2023 against a variety of remote access software programs.
This cyber threat has been targeting a wide variety of systems, including SonicWall NetExtender, Palo Alto GlobalProtect, and Citrix NetScaler, highlighting the broad scope of the threat.
It is Black Basta's intention to improve its operational efficiency by automating brute-force attacks, which in turn allows it to exploit critical infrastructure security vulnerabilities more systematically.
As a result of the discovery of BRUTED, organizations relying on internet-connected security solutions are at an even higher risk of cybercrime, as the evolving tactics and sophistication of ransomware groups are becoming more complex.
The Black Basta ransomware operation has developed an automated brute-force framework known as BRUTED, which has been designed specifically to compromise edge networking devices, such as firewalls and virtual private network access points.
As a result of this advanced framework, the group can gain early access to targeted networks, which facilitates large-scale ransomware attacks on vulnerable, internet-connected endpoints, which will lead to a successful attack.
A recently published study by Arda Büyükkaya, a cyber threat intelligence analyst at EclecticIQ, confirms that the Black Basta ransomware group is using a previously unidentified brute-force framework for stealing data.
Known as BRUTED, this framework is specifically crafted to automate the process of compromising enterprise VPNs and firewalls, thus enhancing the group's ability to gain unauthorized access to corporate networks, which is significantly enhanced.
Multiple reports have emerged throughout 2024 detailing the extensive use of brute-force attacks against these devices and password spray.
It is still unclear how these incidents are linked to BRUTED or other threat actor operations, although the issue is still under investigation. This tool has been developed to highlight the increasing sophistication of ransomware tactics and the increasing risk organizations face when relying on internet-connected security infrastructure as part of their security measures.
A thorough analysis of Büyükkaya's source code has proven that the tool's primary function consists of snooping across the internet and credential stuffing attacks, to attack edge network devices. It has been widely used within corporate environments to implement firewalls and VPN solutions.
By its log-naming conventions, BRUTED is referred to as the bruised tool, and researchers at EclecticIQ have concluded that it is used by Black Basta to perform large-scale credential-stuffing attacks. This group gains an initial foothold by exploiting weak or reused credentials, which allows them to move from compromised networks to other compromised ones, and ultimately install ransomware.
It is also BRUTED's responsibility to assist affiliates, who are responsible for performing initial access operations in ransomware campaigns, as well as to enhance the group's operational efficiency. As the framework automates and scales attacks, it can widen the victim pool and accelerate the monetization process, thus increasing the efficiency of ransomware operations.
As a result of this discovery, cybercriminals have become increasingly sophisticated in their tactics, which highlights the need for robust security measures to protect against them.
Arda Büyükkaya explained that the BRUTED framework will enable Black Basta affiliates to automate and scale their attacks to significantly increase the number of victims they can target, as well as boost their monetization efforts to continue operating ransomware.
As a result of the emergence of this brute-forcing tool, edge devices are demonstrating their ongoing vulnerability, especially in light of persistent warnings from private cybersecurity firms and government agencies regarding increased threats targeting VPN services. Even though these advisories have been issued, it remains a lucrative attack vector for cybercriminals to hack passwords for firewalls and virtual private networks (VPNs).
According to the Qualys team, a blog post a while back highlighted the fact that Black Basta has been using default VPN credentials, brute force techniques involving stolen credentials, and other forms of access to gain initial access to their systems. In this report, the manager of vulnerability research at Qualys Threat Research Unit and a co-author of the report asserted that weak passwords for VPNs and other services that are open to the public continue to pose a significant security risk to organizations.
Furthermore, Abbasi emphasized that several leaked Black Basta chat logs contained simple or predictable credentials, demonstrating the persistent vulnerabilities that threat actors exploit to infiltrate corporate networks. By implementing the BRUTED framework, threat actors can streamline their ransomware operations, as it enables them to infiltrate multiple networks at the same time with as little effort as possible.
As a result of this automation, cybercriminals have access to greater monetization opportunities, which allows them to scale their attacks more efficiently. The risks posed by such tools must be mitigated by the adoption of strong cybersecurity practices. To protect against these risks, organizations must enforce unique passwords for all edge devices and VPNs.
Further, multi-factor authentication (MFA) is an essential component of any security system because it adds another layer of protection that prevents unauthorized access, even when credentials are compromised. To identify potential threats, continuous network monitoring is also crucial.
Security teams should keep an eye on authentication attempts coming from unfamiliar locations and flag high volumes of failures to log in as an indicator of brute force attacks.
Several measures can be implemented to reduce the effectiveness of credential-stuffing techniques, such as rate-limiting measures and account-locking policies. As a result of the growing threat of BRUTED, EclecticIQ has provided a list of IP addresses and domains associated with the framework to the public in response.
Indicators such as these can be used to update firewall rules so that requests from known malicious infrastructure will be blocked effectively while limiting the tool's reach.
BRUTED does not exploit software vulnerabilities to gain access to network edge devices, but maintaining up-to-date security patches remains an important part of cybersecurity. Regularly applying the latest patches ensures that potential vulnerabilities in the network security systems are addressed, thus strengthening the overall resilience of the network security systems.
