Cybersecurity experts have uncovered a tool in the arsenal of the Black Basta ransomware group called “BRUTED” used to scale credential-stuffing and brute-force attacks.
Black Basta first emerged as a ransomware-as-a-service (RaaS) group in April 2022. The group employs double extortion tactics—encrypting victim data while threatening to release sensitive information unless a ransom is paid.
The BRUTED framework is designed to compromise edge networking devices used by businesses and individuals to secure remote connections. These devices, often located at the periphery of a network, include VPNs and firewalls, which have become prime targets for Black Basta's cybercriminal activities. Targeted products include SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN.
Black Basta leverages weak or reused credentials to gain unauthorized access. The BRUTED framework employs a multi-step attack process to identify and compromise edge network devices. It begins by enumerating subdomains, resolving IP addresses, and appending common prefixes like “.vpn” or “remote” to potential targets.
Once a potential target is identified, BRUTED retrieves password credentials from a remote server and combines them with locally generated guesses. The framework then executes authentication requests through parallel CPU processes, allowing it to launch rapid brute-force attacks. BRUTED also extracts Common Name (CN) and Subject Alternative Names (SAN) from SSL certificates of targeted devices, refining its guesses based on domain and naming conventions.
BRUTED utilizes a network of SOCKS5 proxies with seemingly benign domain names to hide the attacker's infrastructure.
Leaked internal chat logs from the Black Basta ransomware group revealed information about operational struggles, including server downtime due to unpaid fees. However, the servers were renewed for another three months by an individual known as @GG, who is identified as Black Basta's leader. @GG, previously known by the alias "tramp," is a former affiliate of the infamous Conti Ransomware-as-a-Service (RaaS) group.
The leaked logs also indicate that the servers used by Black Basta are registered under Proton66 (AS 198953) and located in Russia. This choice is likely part of an operational security (OPSEC) strategy designed to evade scrutiny from Western law enforcement agencies. By operating within Russian territory, the group can conduct their cybercrime activities with relative impunity, given the country's history of limited cooperation with international law enforcement efforts.
