With recent warnings from the FBI as dangerous ransomware groups continue to attack, using methods as diverse as posted extortion threats and fake CAPTCHA tests for initial access, a new report has revealed how some ransomware actors have added a worrying tool to their armory: automated brute force attacks against enterprise VPNs and firewalls.
Ransomware Group Create Automated VPN And Firewall Brute Force Attack Tool
Recently leaked chat logs from the Black Basta ransomware group have revealed many things, including that passwords and stolen 2FA codes are driving many attacks. That’s not exactly a shocking revelation, it has to be said. Nor, for that matter, that these stolen credentials were used in brute force credential-stuffing attacks against enterprise targets.
Newly published research by Arda Büyükkaya, a cyber threat intelligence analyst at EclecticIQ, however, has now confirmed “a previously unknown brute forcing framework,” that has been used by the Black Basta gang to automate the process of gaining access to enterprise VPNs and firewalls.
Having analyzed the source code, Büyükkaya was able to confirm that the
primary capability of this tool is the “automated internet scanning and credential stuffing against edge network devices, including widely used firewalls and VPN solutions in corporate networks.” Calling the tool Bruted, based on its log-naming conventions, EclecticIQ analysts have assessed that the Black Basta ransomware group “targets edge network devices credential-stuffing attacks, exploiting weak or reused credentials to gain an initial foothold for lateral movement, and ransomware deployment.” Bruted enables them, and just as significantly their affiliates who don the initial access donkey work in threat campaigns, to automate and scale these attacks, “expanding their victim pool for and accelerating monetization to drive ransomware operations.”
How Ransomware Actors Employ The Bruted Brute Force Tool
Written in PHP, the Bruted script applies specialized brute-force logic for every individual attack platform, using tailored user-agent strings, endpoint paths, and success checks. “This broad coverage of VPN and remote-desktop products reflects a highly adaptable approach,” Büyükkaya said, “enabling attackers to systematically probe for weak or reused credentials across multiple enterprise environments.”
The EclecticIQ threat analysts were able to determine that among the known targets that the Bruted tool was configured to attack, the following vendors and technologies were present: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb, and WatchGuard SSL VPN.
The tool works by automating subdomain enumeration and IP resolution for any given domain to scan for potentially valid hostnames and IP addresses. “It reports any discovered hosts back to a remote command-and-control endpoint,” Büyükkaya said. Bruted will then collate likely passwords from a remote server and combine them “with locally generated guesses,” to perform bulk authentication attempts.
To mitigate these ransomware attacks, Büyükkaya recommended ensuring all devices are fully patched and up to date, password and login policies are strengthened, and unnecessary services and features are disabled.