Ransomware Group Create Automated VPN and Firewall Brute Force Attack Tool

Recently leaked chat logs from the Black Basta ransomware group have revealed many things, including that passwords and stolen 2FA codes are driving many attacks. That’s not exactly a shocking revelation, it has to be said. Nor, for that matter, that these stolen credentials were used in brute force credential-stuffing attacks against enterprise targets.

Newly Published Research Confirms Brute Forcing Framework

New research by Arda Büyükkaya, a cyber threat intelligence analyst at EclecticIQ, has now confirmed “a previously unknown brute forcing framework” that has been used by the Black Basta gang to automate the process of gaining access to enterprise VPNs and firewalls. The tool, called Bruted, is designed to automate the process of gaining access to enterprise VPNs and firewalls by scanning for valid hostnames and IP addresses, and then using locally generated guesses to perform bulk authentication attempts.

How Ransomware Actors Employ the Bruted Brute Force Tool

The Bruted script is written in PHP and applies specialized brute-force logic for every individual attack platform, using tailored user-agent strings, endpoint paths, and success checks. The tool works by automating subdomain enumeration and IP resolution for any given domain to scan for potentially valid hostnames and IP addresses. It reports any discovered hosts back to a remote command-and-control endpoint, and then collates likely passwords from a remote server and combines them with locally generated guesses to perform bulk authentication attempts.

Targeted Vendors and Technologies

The tool is configured to attack a range of known targets, including SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb, and WatchGuard SSL VPN.

Mitigation Strategies

To mitigate these ransomware attacks, Büyükkaya recommended ensuring all devices are fully patched and up to date, password and login policies are strengthened, and unnecessary services and features are disabled.

Conclusion

The rise of automated brute force attacks against enterprise VPNs and firewalls is a growing concern for organizations looking to protect themselves against ransomware attacks. The Bruted tool is a sophisticated solution that enables attackers to gain initial access to target networks and then deploy ransomware. It is essential for organizations to stay vigilant and implement robust security measures to prevent these attacks.

Frequently Asked Questions

Q: What is the Bruted tool?
A: The Bruted tool is a PHP-based brute forcing framework used by the Black Basta ransomware group to automate the process of gaining access to enterprise VPNs and firewalls.

Q: What is the purpose of the Bruted tool?
A: The purpose of the Bruted tool is to automate the process of gaining access to enterprise VPNs and firewalls by scanning for valid hostnames and IP addresses, and then using locally generated guesses to perform bulk authentication attempts.

Q: What are the targeted vendors and technologies?
A: The targeted vendors and technologies include SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb, and WatchGuard SSL VPN.