Dive Brief:
-
Black Basta’s private chat logs were leaked last month, revealing the strategies, tactics and targeted vulnerabilities that the notorious ransomware-as-a-service gang used over the last two years.
-
EclecticIQ researchers analyzed the chats and discovered a previously unidentified brute-forcing framework, dubbed “BRUTED,” that Black Basta threat actors have used since 2023 to target network edge devices like VPNs and firewalls.
-
Black Basta’s use of BRUTED suggests that many organizations continue to have weak and reused passwords for edge devices, which have become popular targets for a variety of cybercriminals and advanced persistent threat (APT) groups in recent years.
Dive Insight:
According to EclecticIQ’s analysis of BRUTED’s code, the framework conducts automated network enumeration and credential-stuffing attacks against widely used VPN and firewall products from vendors such as Cisco, Fortinet, Palo Alto Network, SonicWall, WatchGuard and Citrix. Additionally, the tool can target Microsoft RDWeb instances for Remote Desktop Protocol applications.
BRUTED’s automated scans collect data on subdomains and IP addresses and extract SSL certificate data to generate password guesses for specific organizations, taking advantage of weak or reused credentials. Arda Büyükkaya, threat intelligence analyst at EclecticIQ, wrote in the analysis that the framework crafts appropriate HTTP/S requests, user-agent strings and POST data to resemble real VPN or RDP clients.
“BRUTED framework enables Black Basta affiliates to automate and scale these attacks, expanding their victim pool for and accelerating monetization to drive ransomware operations,” Büyükkaya wrote.
Black Basta’s brute-forcing tool indicates password security for edge devices is still a lucrative attack vector for threat actors, despite numerous warnings and threat reports from both private companies and government agencies regarding increased threat activity against VPNs in recent years. In a blog post last month, Qualys noted that Black Basta actors often rely on default VPN credentials or brute-forcing stolen credentials for initial access.
Ironically, it may have been one such brute-force attack that led to the leak of Black Basta’s internal chats. According to several reports, an individual known as “ExploitWhispers” published the data after a Black Basta affiliate brute-forced a Russian bank and compromised its network. This apparently crossed a line, as many Russian-speaking cybercriminal groups avoid targeting organizations in the country.
Along with attacking edge devices, Black Basta has been known to target critical infrastructure organizations. In a joint cybersecurity advisory last year, CISA warned that the ransomware gang had attacked 12 of the 16 government-designed critical sectors, including the healthcare industry. EclecticIQ assessed that the ransomware gang also focused on the industrial machinery and manufacturing sectors as well, prioritizing high-value targets that cannot afford operational downtime and are more likely to pay ransoms.
