EclecticIQ’s recent analysis reveals that the Black Basta ransomware group is using a brute-forcing tool called BRUTED to target edge devices. The tool automates attacks on popular VPN and firewall products from vendors like Cisco, Fortinet, and Citrix, as well as Microsoft RDWeb instances for RDP applications.
BRUTED conducts automated scans to gather data on subdomains and IP addresses, exploiting weak or reused credentials. The tool mimics real VPN or RDP clients, allowing Black Basta affiliates to scale their attacks and increase the pool of potential victims.
Despite increased warnings about VPN threats, weak password security remains a significant issue. Qualys highlighted that Black Basta frequently relies on default or brute-forced credentials for initial access. Saeed Abbasi of Qualys emphasized the need for stronger password policies and better security practices to protect against these attacks.
Interestingly, a brute-force attack may have led to the leak of Black Basta’s internal chats. Reports suggest that an affiliate compromised a Russian bank, violating the group’s usual rule of avoiding Russian targets.
Along with targeting edge devices, Black Basta has attacked critical infrastructure sectors, including healthcare, and continues to prioritize high-value targets like industrial machinery and manufacturing to maximize ransom payouts.
