Black Basta deploys new brute-forcing tool to attack edge devices

Cyber researchers have uncovered a previously unknown brute-forcing framework used by the Black Basta ransomware gang to compromise VPNs, firewalls, and other edge devices. Dubbed “BRUTED,” the tool was revealed in leaked private chat logs analysed by EclecticIQ. Active since 2023, BRUTED automates credential-stuffing attacks against widely used products from Cisco, Fortinet, Palo Alto, SonicWall, WatchGuard, Citrix, and Microsoft RDWeb.

The framework performs network scans, extracts SSL data, and generates password guesses using weak or reused credentials. According to EclecticIQ, BRUTED enables affiliates to scale attacks and accelerate ransomware deployment. Despite repeated industry warnings, many organisations still rely on insecure passwords for public-facing infrastructure.

Ironically, one brute-force attack may have exposed Black Basta’s own chats, after a member targeted a Russian bank, breaching an unspoken rule. The gang has also targeted 12 critical infrastructure sectors, with a focus on high-value victims less able to withstand downtime, such as healthcare and manufacturing.

Zero-day flaw exploited by 11 nation-state hacking groups since 2017

A newly exposed Windows zero-day vulnerability, tracked as ZDI-CAN-25373, has been actively exploited by at least 11 state-sponsored hacking groups from North Korea, Iran, Russia, and China since 2017. Despite widespread abuse, Microsoft has declined to patch the flaw, stating it "does not meet the bar for servicing."

According to Trend Micro’s Zero Day Initiative, the vulnerability involves how Windows displays .LNK shortcut files, allowing attackers to hide malicious code and execute it without user awareness. Nearly 1,000 exploitation samples were found, with threat groups using the flaw for cyber espionage and data theft, primarily targeting North America, Europe, East Asia, and Australia.

Groups such as APT43, Mustang Panda, and Evil Corp have used this technique to deploy malware like Ursnif, Gh0st RAT, and Trickbot.

Trend Micro warns the lack of a fix leaves systems exposed, urging organisations to remain vigilant against malicious shortcut files disguised with whitespace padding.

Over 300 malicious Android apps hit 60 million downloads in major adware campaign

A massive Android malware campaign dubbed “Vapor” has infected over 60 million devices through more than 300 malicious apps on Google Play, according to new findings from IAS Threat Lab and Bitdefender. Initially reported in early 2024, the campaign’s scope has now grown to include 331 apps, with significant infections in Brazil, the US, Mexico, Turkey, and South Korea.

Disguised as utilities like QR scanners, fitness trackers, and note-taking apps, the malware bypassed Google’s review process by activating malicious features only after installation. These features included aggressive adware, credential phishing, and credit card data theft.

The apps used stealthy tactics such as disabling their own launcher icon and posing as legitimate apps like Google Voice. Bitdefender also found that the malware exploited Android 13+ protections using overlays and hidden components.

Although the offending apps have been removed, researchers warn Vapor may resurface, and users are urged to vet apps carefully before installing.

Education sector unprepared for rising cyberattacks, says new report

Cyber security firm KnowBe4 has released a new report warning that schools and universities remain dangerously unprepared for escalating cyberattacks. Titled “From Primary Schools to Universities,” the study highlights how the education sector became the most targeted industry in 2024, with a sharp rise in data breaches and ransomware attacks.

According to the report, reliance on third-party vendors, outdated systems, and limited resources have left many institutions exposed. Data also showed 1,780 cyber incidents against educational institutions occurred in 2024, placing the sector in the top five globally for data breaches.

Trustwave also tracked 352 ransomware claims against schools last year, with phishing identified as the top method of initial access. However, the report shows that sustained security awareness training works—phishing susceptibility dropped from 33.4% to 3.9% in small institutions after a year of simulated testing.

Massive data breach in France: Millions at risk

A major cyber security breach in France has exposed the personal data of millions, now being sold on the dark web for €10,000 in cryptocurrency. The leaked information includes names, email and home addresses, phone numbers, marital status, and even nearby postal centres. To prove authenticity, the hacker—known as “Angel Batista”—has leaked data on 100,000 individuals for free.

The source of the breach remains unknown, though suspicions point to a government-run service or insurance provider. Victims are at serious risk of identity theft, phishing scams, and repeated resale of their data.

To stay protected, experts recommend enabling two-factor authentication, using unique and complex passwords, and never sharing personal or banking details via suspicious links or calls. Regularly check bank activity and, if in doubt, hang up and contact your bank directly using a separate device.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.