Cybersecurity Today: Black Basta's New Automated Brute Force Tool
Episode Release Date: March 17, 2025
Host: Jim Love

Black Basta Ransomware Group Introduces "Bruted"

In the latest episode of Cybersecurity Today, host Jim Love delves into the evolving threats posed by the Black Basta ransomware group. Love explains that Black Basta has developed an automated brute force framework named Bruted, designed to penetrate edge networking devices such as firewalls and Virtual Private Networks (VPNs). This tool significantly enhances their capability to conduct ransomware attacks by streamlining initial network access.

Jim Love [02:15]: "Bruted has been in operation since 2023, conducting large-scale credential stuffing and brute force attacks on various VPN and remote access products."

Bruted targets a range of products, including SonicWall's NetXtender, Palo Alto's Global Protect, Cisco's AnyConnect, Fortinet's SSL VPN, Citrix's NetScaler, Microsoft's RD Web, and WatchGuard's SSL VPN. The framework operates by identifying publicly accessible devices through subdomain enumeration, IP resolution, and keyword prefixing (e.g., "vpn" or "remote"). It then retrieves password candidates from a remote server and combines them with locally generated guesses to execute simultaneous authentication requests. To evade detection, Bruted employs a list of SOCKS5 proxies, masking the attackers' infrastructure predominantly located in Russia under the registration "Proton 66."

Defensive Measures:
Jim emphasizes the importance of robust cybersecurity practices to defend against such brute force attacks:

• Strong, Unique Passwords
• Multi-Factor Authentication (MFA)
• Monitoring Authentication Attempts
• Implementing Rate Limiting and Account Lockout Policies
• Prompt Security Updates

Medusa Ransomware: A Double Extortion Threat

The episode also covers the ongoing threat from the Medusa ransomware, active since 2021. Medusa has compromised over 300 organizations across critical sectors, including healthcare, education, legal, insurance, technology, and manufacturing.

Jim Love [10:45]: "Medusa operates on a double extortion model. It encrypts a victim's data and threatens to publicly release it unless a ransom is paid."

Medusa gains access primarily through phishing emails and exploiting unpatched software vulnerabilities. Notably, the group maintains a data leak site listing victims with countdowns for data release, offering to delay the timer for a $10,000 cryptocurrency payment.

Mitigation Strategies:
Jim reiterates recommendations from the FBI and CISA:

• Implement Multi-Factor Authentication
• Regularly Update Systems
• Maintain Secure Backups
• Avoid Paying Ransoms: "The FBI and CISA both advise against paying ransoms, as payment does not guarantee the recovery of files and may encourage further criminal activity."

Victims are urged to report ransomware incidents promptly to the FBI or CISA.

Critical Vulnerability in WordPress's DraftPlus Plugin

Attention is drawn to a significant security flaw in the upcoming DraftPlus plugin, a widely used backup solution for WordPress websites with over 3 million active installations.

Jim Love [15:30]: "This flaw potentially allows unauthorized users to have access to sensitive backup files, posing substantial risks to affected sites."

The vulnerability arises from inadequate access controls, enabling users with lower privileges to download backups intended for administrators. These backups may contain critical information, including database credentials and user data, which could be exploited by malicious actors.

Protective Actions:
Organizations are advised to:

• Update the Plugin Immediately
• Review User Permissions
• Monitor Site Activity and Logs for Unusual Behavior

Jim warns, "Don't restore even test versions of sites until you've dealt with this issue," highlighting the urgency of addressing the vulnerability.

Surge in Toll Payment Scams

Jim reports a significant increase in toll payment scams, with over 2,000 incidents recorded in a single month. These fraudulent messages mimic legitimate toll agencies, enhancing their credibility to deceive drivers.

Jim Love [20:10]: "The Illinois Tollway advises they don't send unsolicited text messages requesting payment."

Authorities from several states, including California, have issued warnings. The FBI and FTC recommend:

• Avoid Clicking on Links in Suspicious Messages
• Verify Text Requests Through Official Channels
• Use Phone's Report Junk Feature or Forward the Message to 7726 Spam

Jim emphasizes, "Don't respond even with the classic stop message. This only lets the scammers know that you're a valid number," underscoring the importance of vigilance against such scams.

Microsoft’s March 2025 Security Update: Critical Vulnerabilities Addressed

The episode highlights Microsoft's March 2025 security update, which addresses two critical remote code execution vulnerabilities in Windows Remote Desktop Services (RDS).

Jim Love [25:00]: "CVE202524003.5 is a vulnerability that arises from sensitive data being stored in improperly locked memory within RDS."

Both vulnerabilities, assigned a CVSSv3 score of 8.1, could allow attackers to execute arbitrary code, potentially leading to complete system compromise. These flaws affect multiple versions of Windows servers and desktops, making prompt patching essential.

Recommended Actions:

• Apply Security Patches Immediately
• Enable Network Level Authentication
• Restrict RDP Access Through Firewalls
• Utilize Strong Authentication Mechanisms

Jim stresses the importance of these updates: "Organizations should prioritize these updates to safeguard their systems against unauthorized access and potential attacks."

Issues with Microsoft’s Security Updates

Despite the critical nature of these updates, Jim voices concerns over reported problems with the latest Microsoft patch.

Jim Love [30:20]: "No sysadmin in this world wants to report I kept you safe by ensuring no one could use their computer."

He criticizes the delay in resolving update issues, suggesting that Microsoft's handling could lead to disaster if organizations wait to apply patches. Jim questions Microsoft's capability to promptly fix these issues, stating, "Couldn't one of them be getting their security updates out so they don't crash computers?"

Data Breach at Doge: Unencrypted Treasury Data Exposure

The episode concludes with a troubling incident involving Doge employees mishandling sensitive information. Court documents reveal that Marco Ellas, a Doge staff member, breached Treasury Department protocols by emailing unencrypted personal information to officials at the General Services Administration.

Jim Love [35:45]: "The spreadsheet contained names, transaction types, and monetary amounts. It did, in fairness, exclude sensitive identifiers like Social Security numbers."

Ellas, previously associated with companies linked to Elon Musk, was rehired by the Social Security Administration after resigning from Doge due to racist social media posts. However, he was mistakenly granted read and write access to treasury systems, a privilege that should have been restricted.

Jim raises critical questions about the security protocols at Doge, highlighting the potential for unauthorized access and misuse of information. "Sending plain text emails just prove that they're not only inexperienced, they're sloppy," he remarks, underscoring the low-level security practices that facilitated the breach.

Legal Implications:
Nineteen attorneys general have filed a lawsuit against Doge, accusing the company of compromising the integrity of federal payment systems and undermining protocols designed to protect citizen data. Jim speculates on the international ramifications, suggesting that nation-states like North Korea, China, and Russia likely did not target Doge directly but might exploit such vulnerabilities indirectly.

Conclusion

Jim Love wraps up the episode by emphasizing the continuous and evolving nature of cybersecurity threats. From sophisticated ransomware tools like Bruted to critical vulnerabilities in widely-used software and careless handling of sensitive data, the landscape remains perilous for organizations. He advocates for proactive security measures, comprehensive training, and immediate response to emerging threats to safeguard against potential breaches and attacks.

For more insights and updates on cybersecurity threats and defenses, stay tuned to Cybersecurity Today with host Jim Love.