A cybercriminal group called Black Basta has built a new tool that helps them break into remote systems like VPNs and firewalls by guessing weak passwords. This tool allows them to easily target companies and demand ransom.
According to cybersecurity experts, the tool— named BRUTED, automatically scans the internet to find systems that might be easy to hack. It focuses on popular VPN and firewall services from companies like Cisco, Fortinet, Palo Alto, and others. It also attacks systems used for remote desktop access.
The tool gathers information like IP addresses, website subdomains, and security certificates to help guess passwords specific to each organization. It then sends fake login requests that look like they’re from a real user or device, making it harder to detect.
Since BRUTED runs automatically, it helps hackers attack many targets quickly. This increases their chances of breaking in and earning money from ransomware attacks.
Experts warn that many companies still rely on simple or repeated passwords, which makes their systems easy to hack. Sometimes, attackers use leaked or default passwords that organizations forget to change.
This poor password management exposes businesses to big risks. In fact, weak passwords might have also caused a leak in Black Basta’s own data when a hacker broke into a Russian bank and exposed the gang’s private chats.
Black Basta is known for targeting important industries like healthcare and manufacturing, where even a small disruption can cause major losses. These industries are more likely to pay ransom to avoid shutdowns.
Security experts are urging businesses to act fast—use strong and unique passwords, change default settings, run regular security checks, and train employees about password safety.
Good password habits can help prevent such attacks and protect important systems from hackers like Black Basta.
A newly discovered ransomware group known as Mora_001 is carrying out cyberattacks by exploiting security weaknesses found in Fortinet's firewall systems. The group is using a custom ransomware strain named SuperBlack to target organizations and lock their data for ransom.
The attackers are taking advantage of two security loopholes that allow them to bypass login protections on Fortinet devices. These issues, listed as CVE-2024-55591 and CVE-2025-24472, were made public by Fortinet earlier this year. Reports indicate that one of these vulnerabilities had been secretly exploited by attackers even before the company officially disclosed it.
Initially, Fortinet clarified that only one of the two bugs had been misused. However, a recent investigation suggests that the second vulnerability was also being exploited during the same period. Researchers from cybersecurity firm Forescout uncovered this while examining attacks that occurred in January and February 2025.
Step-by-Step Breakdown of the Attack
The cybercriminals begin their attack by finding exposed Fortinet firewall devices that haven’t been updated. They then use these security flaws to gain full control over the system.
Once inside, the attackers grant themselves the highest level of access, commonly known as 'super admin' rights. They either use web-based tools or direct network requests to make these changes.
After securing control, they create new administrator profiles with names like forticloud-tech, fortigate-firewall, or adnimistrator. These fake accounts are set up in a way that even if someone deletes them, automated tasks will recreate them instantly.
The hackers then scan the network to understand its layout and start moving from one system to another. They use stolen login details, create new VPN accounts, and rely on common tools like WMIC and SSH to spread across connected machines. They also try to break into systems that use security checks like TACACS+ or RADIUS.
Before locking files, the group copies important data using their own tools. Their main targets include file storage systems, database servers, and computers that control user access across networks. Once the data is stolen, the ransomware is triggered, encrypting files and leaving ransom messages behind.
To make it harder for experts to investigate the attack later, the hackers run a program called ‘WipeBlack’. This tool removes all traces of the ransomware from the system, leaving very little evidence.
Possible Links to a Bigger Ransomware Group
During their investigation, Forescout found that SuperBlack ransomware shares several similarities with the well-known LockBit ransomware group. The coding style and methods used appear to have been copied from LockBit’s earlier leaked tools.
However, it looks like SuperBlack is being operated separately and is not officially part of the LockBit group.
This incident is a reminder of the risks that come with outdated software. Organizations using Fortinet firewalls should install security updates immediately to avoid falling victim to such attacks. Staying updated is crucial in protecting sensitive information from advanced ransomware threats.
Cisco has issued a security warning about a newly identified vulnerability in its IOS XR Software. This security flaw, labeled CVE-2025-20138, has been rated 8.8 on the CVSS scale, meaning it poses a major risk to affected devices.
What Is the Problem?
The issue is found in the Command Line Interface (CLI) of Cisco’s IOS XR Software. If an attacker gains access to a system with limited user privileges, they can exploit this weakness to execute commands with the highest level of control. This would allow them to make major modifications to the system, potentially leading to severe security threats.
The root of the problem is improper validation of user inputs in certain CLI commands. Because the system does not correctly filter these inputs, attackers can manipulate it using carefully crafted commands. If successful, they can obtain full administrative access, giving them total control over the device.
Who Is Affected?
This vulnerability affects all configurations of Cisco IOS XR 64-bit Software. Users should check Cisco’s official security advisory to confirm if their specific version is vulnerable.
However, some Cisco software versions are confirmed to be unaffected, including:
IOS Software
IOS XE Software
IOS XR 32-bit Software
NX-OS Software
No Quick Fixes—Users Must Update Their Software
Cisco has stated that there are no temporary solutions or workarounds for this security flaw. The only way to protect affected systems is to install the latest software updates provided by Cisco.
The company has outlined which versions require updates:
1. Users running Cisco IOS XR Software Release 24.1 or earlier need to switch to a patched version.
2. Those using Release 24.2 should upgrade to version 24.2.21 when it becomes available.
3. Users on Release 24.3 must transition to a secure version.
Release 24.4 is not affected by this issue.
As of now, there have been no reports of hackers exploiting this flaw. However, because of the severity of the issue, users should not delay in updating their devices.
Cisco is urging all users running affected versions of IOS XR Software to review the security advisory and apply the necessary updates as soon as possible. Keeping software up to date is the only way to ensure systems remain protected from potential cyber threats.