- Researchers uncovered a brute-forcing tool called BRUTED
- It was used since 2023 against VPNs and firewalls
- BRUTED allows for automated brute-force and credential stuffing attacks
The infamous Black Basta ransomware actors created an automated framework for brute-forcing firewalls, VPNs, and other edge networking devices.
The “BRUTED” tool has apparently been in use for years now, according to cybersecurity researchers EclecticIQ, who have been sifting through the recently-leaked Black Basta chat logs, which were leaked and subsequently uploaded to a GPT for easier analysis.
Besides being used to analyze the group’s structure, organization, and activities, researchers used it to identify the tools, too. Apparently, BRUTED was in use since 2023 in large-scale credential stuffing and brute-force attacks. The endpoints being targeted include SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN.
High confidence often leads to victimization
The tool first identifies potential victims by enumerating subdomains, resolving IP addresses, and appending prefixes such as “vpn”, or “remote”. It then pulls a list of potential login credentials and combines them with locally generated guesses, executing as many requests as possible.
To narrow the list down, BRUTED extracts Common Name (CN) and Subject Alternative Names (SAN) from the SSL certificates of targeted devices, as well, the researchers said.
Finally, to remain under the radar, BRUTED uses a list of SOCKS5 proxies, although its infrastructure is apparently located in Russia.
To protect against brute-force and credential stuffing attacks, businesses should make sure all their edge devices and VPN instances have strong, unique passwords, consisting of at least eight characters, both uppercase and lowercase, numbers, and special characters. They should also enforce multi-factor authentication (MFA) on all possible accounts, and apply the zero-trust network access (ZTNA) philosophy, if possible.
Ultimately, monitoring the network for authentication attempts from unknown locations, as well as for numerous failed login attempts, is a great way to spot attacks.
Via BleepingComputer
You might also like
https://cdn.mos.cms.futurecdn.net/nDoSJGNf3Hn32Z9AGWLcxb-1200-80.jpg
Source link
