March 14, 2025 By Bill Toulas
The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs.
The framework has enabled BlackBasta to streamline initial network access and scale ransomware attacks on vulnerable internet-exposed endpoints.
The discovery of BRUTED comes from EclecticIQ researcher Arda Büyükkaya following an in-depth examination of the ransomware gang's leaked internal chat logs.
Several reports of large-scale brute-forcing and password spray attacks against those devices throughout 2024, some of which might be linked to BRUTED or similar-origin operations.
Automating brute-forcing
Büyükkaya says Black Basta has been using the automated BRUTED platform since 2023 to conduct large-scale credential-stuffing and brute-force attacks on edge network devices.
Analysis of the source code indicates that the framework was specifically designed to brute-force credentials on the following VPN and remote-access products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN.