TZUTC: -0500   
   MSGID: 510.consprcy@1:2320/105 2c3ec05e   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Infamous ransomware hackers reveal new tool to brute-force VPNs   
      
   Date:   
   Mon, 17 Mar 2025 15:46:00 +0000   
      
   Description:   
   Black Basta's leaked chat logs reveal brute-forcing tool called BRUTED, used   
   since 2023.   
      
   FULL STORY   
   ======================================================================   
    - Researchers uncovered a brute-forcing tool called BRUTED   
    - It was used since 2023 against VPNs and firewalls   
    - BRUTED allows for automated brute-force and credential stuffing attacks   
      
   The infamous Black Basta ransomware actors created an automated framework for   
   brute-forcing firewalls , VPNs, and other edge networking devices.    
      
   The BRUTED tool has apparently been in use for years now, according to   
   cybersecurity researchers EclecticIQ, who have been sifting through the   
   recently-leaked Black Basta chat logs , which were leaked and subsequently   
   uploaded to a GPT for easier analysis.    
      
   Besides being used to analyze the groups structure, organization, and   
   activities, researchers used it to identify the tools, too. Apparently,    
   BRUTED was in use since 2023 in large-scale credential stuffing and   
   brute-force attacks. The endpoints being targeted include SonicWall   
   NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN,   
   Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web   
   Access), and WatchGuard SSL VPN.   
      
   High confidence often leads to victimization    
      
   The tool first identifies potential victims by enumerating subdomains,   
   resolving IP addresses, and appending prefixes such as vpn, or remote. It    
   then pulls a list of potential login credentials and combines them with   
   locally generated guesses, executing as many requests as possible.    
      
   To narrow the list down, BRUTED extracts Common Name (CN) and Subject   
   Alternative Names (SAN) from the SSL certificates of targeted devices, as   
   well, the researchers said.    
      
   Finally, to remain under the radar, BRUTED uses a list of SOCKS5 proxies ,   
   although its infrastructure is apparently located in Russia.    
      
   To protect against brute-force and credential stuffing attacks, businesses   
   should make sure all their edge devices and VPN instances have strong, unique   
   passwords, consisting of at least eight characters, both uppercase and   
   lowercase, numbers, and special characters. They should also enforce   
   multi-factor authentication (MFA) on all possible accounts, and apply the   
   zero-trust network access (ZTNA) philosophy, if possible.    
      
   Ultimately, monitoring the network for authentication attempts from unknown   
   locations, as well as for numerous failed login attempts, is a great way to   
   spot attacks.    
      
    Via BleepingComputer   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/infamous-ransomware-hackers-reveal-new-   
   tool-to-brute-force-vpns   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426