Black Basta ransomware group developed its own automated brute-forcing framework

📟 News

Date: 18/03/2025

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It’s used to hack edge network devices (e.g. firewalls and VPN).

Analysis of internal Black Basta chat logs that had leaked online in February 2025 revealed the existence of this malicious framework. BRUTED simplifies the initial access to networks for hackers and makes it possible to scale ransomware attacks on vulnerable endpoints. According to experts, Black Basta has been using BRUTED since 2023 to deliver massive credential-stuffing and brute-forcing attacks.

Source code analysis showed that the framework is specially designed to brute-force credentials in the following products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN.

The framework discovers publicly accessible edge network devices that match its target list by enumerating subdomains, resolving IP addresses, and adding prefixes like vpn and remote. Information about matches is transmitted to the remote command-and-control server.

After identifying potential targets, the frameworks gathers password candidates from a remote server, combines them with locally generated guesses, and performs bulk authentication attempts using multiple CPU processes. Special query headers and tailored user-agent strings are used for each target device.

To generate additional password guesses, BRUTED extracts common names (CN) and Subject Alternative Names (SAN) from a target’s SSL certificate getCertDomainsList().

To avoid detection, the framework uses multiples SOCKS5 proxies (all from the domain fuck-you-usa[.]com) while performing high volume of brute-forcing requests. Its three servers are registered under Proton66 (AS 198953) and located in Russia.

Experts believe that tools like BRUTED make ransomware easier to operate; as a result, hackers infiltrate multiple networks with minimal effort, which accelerates monetization.

The key protection strategy against such threats involves strong and unique passwords for all edge devices and VPN accounts, as well as multifactor authentication (MFA) that blocks access even in situations when the credentials were compromised.

Related posts:
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →