Black Basta ransomware group developed its own automated brute-forcing framework

📟 News

Date: 18/03/2025

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It’s used to hack edge network devices (e.g. firewalls and VPN).

Analysis of internal Black Basta chat logs that had leaked online in February 2025 revealed the existence of this malicious framework. BRUTED simplifies the initial access to networks for hackers and makes it possible to scale ransomware attacks on vulnerable endpoints. According to experts, Black Basta has been using BRUTED since 2023 to deliver massive credential-stuffing and brute-forcing attacks.

Source code analysis showed that the framework is specially designed to brute-force credentials in the following products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN.

The framework discovers publicly accessible edge network devices that match its target list by enumerating subdomains, resolving IP addresses, and adding prefixes like vpn and remote. Information about matches is transmitted to the remote command-and-control server.

After identifying potential targets, the frameworks gathers password candidates from a remote server, combines them with locally generated guesses, and performs bulk authentication attempts using multiple CPU processes. Special query headers and tailored user-agent strings are used for each target device.

To generate additional password guesses, BRUTED extracts common names (CN) and Subject Alternative Names (SAN) from a target’s SSL certificate getCertDomainsList().

To avoid detection, the framework uses multiples SOCKS5 proxies (all from the domain fuck-you-usa[.]com) while performing high volume of brute-forcing requests. Its three servers are registered under Proton66 (AS 198953) and located in Russia.

Experts believe that tools like BRUTED make ransomware easier to operate; as a result, hackers infiltrate multiple networks with minimal effort, which accelerates monetization.

The key protection strategy against such threats involves strong and unique passwords for all edge devices and VPN accounts, as well as multifactor authentication (MFA) that blocks access even in situations when the credentials were compromised.

Related posts:
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →