The notorious Black Basta ransomware gang has developed a powerful tool designed to automate VPN brute-force attacks, intensifying their ability to compromise organizations worldwide.
Dubbed ‘BRUTED’, this framework streamlines how Black Basta gains initial access to networks, specifically targeting exposed VPNs and firewall devices connected to the internet. This advanced system allows them to scale their attacks with minimal manual effort, making it even easier to breach corporate networks.
Inside BRUTED: How Black Basta Scales VPN Brute-Force Campaigns
The discovery of BRUTED came to light after cybersecurity researcher Arda Büyükkaya from EclecticIQ examined leaked internal chat logs from the ransomware group. The findings reveal that Black Basta has relied on this tool since 2023 to automate massive credential-stuffing and brute-force attacks.
By targeting a range of remote access solutions, BRUTED is capable of breaking into some of the most commonly used VPN and firewall platforms, including:
- SonicWall NetExtender
- Palo Alto GlobalProtect
- Cisco AnyConnect
- Fortinet SSL VPN
- Citrix NetScaler (Citrix Gateway)
- Microsoft RDWeb (Remote Desktop Web Access)
- WatchGuard SSL VPN
The framework is designed to search for internet-exposed devices that match these targets by scanning subdomains, resolving their IP addresses, and appending keywords like “vpn” or “remote” to increase hit rates. Once potential victims are identified, BRUTED reports back to its command-and-control (C2) servers for further action.
Advanced Techniques Make BRUTED a Dangerous Ransomware Weapon
BRUTED isn’t just a simple brute-force tool. Its sophistication lies in how it handles password attacks. The tool fetches password combinations from remote servers while also generating local guesses based on common patterns.
Even more concerning, BRUTED analyzes SSL certificates from targeted devices to extract information such as the Common Name (CN) and Subject Alternative Names (SAN). This allows attackers to craft smarter password guesses tailored to the organization’s naming conventions.
Additionally, each VPN product is attacked using specific request headers and user agents, making the brute-force attempts harder to detect.
Hiding in Plain Sight: How Black Basta Avoids Detection
To mask their activities, Black Basta routes their attacks through SOCKS5 proxy servers with domains designed to disguise their true origin. These proxies act as an extra layer of protection, making it difficult for defenders to trace the real source of the attacks.
According to the report, most of Black Basta’s servers are located in Russia, operating under Proton66 (AS 198953). Interestingly, leaked chats reveal that the gang sometimes faces operational hiccups like server downtimes caused by unpaid fees—a rare peek into the realities of running ransomware operations.
How to Protect Against Ransomware VPN Brute-Force Attacks
With tools like BRUTED in play, ransomware attacks are becoming faster, more automated, and harder to prevent. However, businesses can strengthen their defenses with these critical steps:
- Enforce strong, unique passwords on all VPNs and remote-access systems.
- Implement multi-factor authentication (MFA) to stop attackers even if they obtain login credentials.
- Monitor login activity closely, especially for failed logins or access attempts from unusual locations.
- Apply rate-limiting and account lockout policies to slow down brute-force attempts.
- Regularly update all VPN and firewall devices to patch known vulnerabilities.
Additionally, EclecticIQ has released a list of malicious IP addresses and domains associated with BRUTED. Organizations should update their firewall rules to block traffic from these sources.
While BRUTED doesn’t rely on exploiting software vulnerabilities, its brute-force capability presents a serious threat to any organization exposing VPNs and remote-access tools online. As ransomware gangs continue to innovate, proactive cybersecurity practices remain the best defense against such evolving threats.
