Ransomware Intruders Can Forcefully Gain Access to Your Virtual Private Networks (VPNs) and Firewalls via Brute Force Methods

Unveiling the Brutal Brute Force Attack: Ransomware's New Weapon

Ransomware Intruders Can Forcefully Gain Access to Your Virtual Private Networks (VPNs) and Firewalls via Brute Force Methods

In an alarming turn of events, notorious ransomware gangs are upping their game with the use of automated brute force attacks against enterprise VPNs and firewalls. FBI warnings regarding increasingly aggressive ransomware attacks continue to circulate, as these groups employ a diverse arsenal of tactics, including posted extortion threats and fake CAPTCHA tests to infiltrate systems.

A recent revelation from leaked chat logs originating from the Black Basta ransomware group has exposed their increased reliance on stolen passwords and 2FA codes to launch their attacks. Though this is not entirely unexpected, their move to automate these attacks through the Bruted tool marks a significant development.

Analyzing the source code of the Bruted tool, cyber threat intelligence analyst, Arda Büyükkaya of EclecticIQ, has confirmed the tool's primary capability: automated internet scanning and credential stuffing against edge network devices like firewalls and VPN solutions. Nicknamed Bruted, based on its log-naming conventions, this tool allows the Black Basta gang—and their affiliates—to expedite these attacks on a massive scale, thereby broadening their victim pool and accelerating monetization.

Bruted: A Toolbox for Ransomware Attacks

Written in PHP, the Bruted script boasts a highly adaptable approach, employing specialized brute-force logic tailored for each individual attack platform to systematically probe for weak or reused credentials across multiple enterprise environments.

EclecticIQ threat analysts have identified the following vendors and technologies among the known targets of the Bruted tool: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb, and WatchGuard SSL VPN.

To mitigate these ransomware attacks, Büyükkaya advises securing all devices with the latest patches, strengthening password and login policies, and disabling unnecessary services and features. In the face of evolving cyber threats, vigilance and robust security measures are more crucial than ever.

Your Next Steps: Fortifying Your Defenses

In today's digital landscape, it's essential to stay one step ahead of malicious actors. To fortify your defenses, consider the following measures:

1. Patch Management: Ensure that all devices and systems are updated with the latest security patches, addressing known vulnerabilities that might be exploited by attackers.
2. Strong Password Policies: Implement stringent password policies, requiring complex, unique passwords and regular changes. Enforce multi-factor authentication (MFA) wherever possible to add an additional layer of security.
3. Disable Unnecessary Services: Remove or disable unnecessary services and features, reducing the attack surface for potential attackers.
4. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address weaknesses in your network.
5. Employee Training: Educate employees about cybersecurity best practices, including recognizing phishing attempts, maintaining good password hygiene, and adhering to company security policies.

In the face of escalating cyber threats, remaining vigilant and proactive is key to protecting your organization from ransomware attacks and other malicious activities. Stay informed, stay alert, and stay one step ahead.

1. The Bruted tool, used by ransomware gangs like Black Basta, automates brute force attacks against VPNs and firewalls by employing specialized brute-force logic, increasing the scope of potential victims.
2. To counteract the evolving threats posed by ransomware attacks, threat intelligence analyst Arda Büyükkaya suggests securing all devices with the latest patches, strengthening password and login policies, and disabling unnecessary services and features.
3. As revealed by the eclecticiq analysis of the Bruted tool, its target vendors and technologies include SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb, and WatchGuard SSL VPN, making it crucial for organizations to take proactive steps to secure these solutions.

Read also: