Black Basta, a notorious ransomware group, has developed an automated brute-forcing tool called “BRUTED” to breach VPNs and internet-edge firewalls through credential-stuffing and brute-force attacks. The group targets organizations that use weak and reused passwords on VPNs and firewalls. Among its targets are:
- SonicWall NetExtender
- Palo Alto GlobalProtect
- Cisco AnyConnect
- Fortinet SSL VPN
- Citrix NetScaler
- Microsoft RDWeb
- WatchGuard SSL VPN
How The Attack Works
The attack starts with BRUTED scanning subdomains, IP addresses, and SSL certificate data to gather intelligence on potential targets. Using this reconnaissance, it automatically generates and tests possible credential combinations—often exploiting default or reused login details.
To stay under the radar, BRUTED routes its traffic through a network of SOCKS5 proxies to mask the origin of the attack. Once the attackers gain access, it’s a short path to ransomware deployment and full-blown compromise of the victim’s environment.
Why it Matters
This type of attack poses a serious threat to any organization with internet-exposed infrastructure. A successful breach can lead to data theft, service outages, reputational damage, and costly recovery efforts. Organizations relying on poor credential hygiene are especially at risk.
How to Stay Protected
Organizations can take the following steps to reduce their risk of falling victim to BRUTED and similar attacks:
- Enforce strong, unique passwords for all VPN and firewall logins
- Implement Multi-Factor Authentication (MFA) wherever possible
- Educate users about password security and phishing risks
- Patch and update VPNs and firewalls regularly to close known vulnerabilities
- Monitor for suspicious login attempts, especially from unfamiliar locations
- Track high-volume login failures, which may indicate a brute-force attempt
- Use rate limiting and account lockout policies to slow down attackers
Staying ahead of threat actors like Black Basta requires a proactive, layered defense. The best time to reinforce your access controls and monitoring capabilities is before the attackers come knocking.
