1. Forum
  2. FidoNet Int
  3. consprcy

  • Infamous ransomware hacke

    From Mike Powell@1:2320/105 to All on Tue Mar 18 09:36:00 2025
    Infamous ransomware hackers reveal new tool to brute-force VPNs

    Date:
    Mon, 17 Mar 2025 15:46:00 +0000

    Description:
    Black Basta's leaked chat logs reveal brute-forcing tool called BRUTED, used since 2023.

    FULL STORY ======================================================================
    - Researchers uncovered a brute-forcing tool called BRUTED
    - It was used since 2023 against VPNs and firewalls
    - BRUTED allows for automated brute-force and credential stuffing attacks

    The infamous Black Basta ransomware actors created an automated framework for brute-forcing firewalls , VPNs, and other edge networking devices.

    The BRUTED tool has apparently been in use for years now, according to cybersecurity researchers EclecticIQ, who have been sifting through the recently-leaked Black Basta chat logs , which were leaked and subsequently uploaded to a GPT for easier analysis.

    Besides being used to analyze the groups structure, organization, and activities, researchers used it to identify the tools, too. Apparently,
    BRUTED was in use since 2023 in large-scale credential stuffing and
    brute-force attacks. The endpoints being targeted include SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web
    Access), and WatchGuard SSL VPN.

    High confidence often leads to victimization

    The tool first identifies potential victims by enumerating subdomains, resolving IP addresses, and appending prefixes such as vpn, or remote. It
    then pulls a list of potential login credentials and combines them with
    locally generated guesses, executing as many requests as possible.

    To narrow the list down, BRUTED extracts Common Name (CN) and Subject Alternative Names (SAN) from the SSL certificates of targeted devices, as
    well, the researchers said.

    Finally, to remain under the radar, BRUTED uses a list of SOCKS5 proxies , although its infrastructure is apparently located in Russia.

    To protect against brute-force and credential stuffing attacks, businesses should make sure all their edge devices and VPN instances have strong, unique passwords, consisting of at least eight characters, both uppercase and lowercase, numbers, and special characters. They should also enforce multi-factor authentication (MFA) on all possible accounts, and apply the zero-trust network access (ZTNA) philosophy, if possible.

    Ultimately, monitoring the network for authentication attempts from unknown locations, as well as for numerous failed login attempts, is a great way to spot attacks.

    Via BleepingComputer

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/infamous-ransomware-hackers-reveal-new- tool-to-brute-force-vpns

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)