By Nermeen Nabil Khear 
- Researchers uncovered a brute-forcing tool called BRUTED
- It was used since 2023 against VPNs and firewalls
- BRUTED allows for automated brute-force and credential stuffing attacks
The infamous Black Basta ransomware actors created an automated framework for brute-forcing firewalls, VPNs, and other edge networking devices.
The “BRUTED” tool has apparently been in use for years now, according to cybersecurity researchers EclecticIQ, who have been sifting through the recently-leaked Black Basta chat logs, which were leaked and subsequently uploaded to a GPT for easier analysis.
Besides being used to analyze the group’s structure, organization, and activities, researchers used it to identify the tools, too. Apparently, BRUTED was in use since 2023 in large-scale credential stuffing and brute-force attacks. The endpoints being targeted include SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN.
High confidence often leads to victimization
The tool first identifies potential victims by enumerating subdomains, resolving IP addresses, and appending prefixes such as “vpn”, or “remote”. It then pulls a list of potential login credentials and combines them with locally generated guesses, executing as many requests as possible.
To narrow the list down, BRUTED extracts Common Name (CN) and Subject Alternative Names (SAN) from the SSL certificates of targeted devices, as well, the researchers said.
Finally, to remain under the radar, BRUTED uses a list of SOCKS5 proxies, although its infrastructure is apparently located in Russia.
To protect against brute-force and credential stuffing attacks, businesses should make sure all their edge devices and VPN instances have strong, unique passwords, consisting of at least eight characters, both uppercase and lowercase, numbers, and special characters. They should also enforce multi-factor authentication (MFA) on all possible accounts, and apply the zero-trust network access (ZTNA) philosophy, if possible.
Ultimately, monitoring the network for authentication attempts from unknown locations, as well as for numerous failed login attempts, is a great way to spot attacks.
Via BleepingComputer
You might also like
- Many workers are overconfident at spotting phishing attacks
- We’ve rounded up the best password managers
- Take a look at our guide to the best authenticator app
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.