New 'Brutus' Brute-Force Tool Targets Fortinet on Dark Web

A new brute-force attack tool called "Brutus" appeared on dark web markets this week, specifically advertising capabilities against Fortinet services. The tool, sold by a threat actor operating as "RedTeam" for $1,500, combines automated credential testing with reconnaissance features designed to identify vulnerable enterprise VPN infrastructure.

Dark Web Informer first spotted the listing on January 6. The $1,500 price point positions Brutus as a premium offering—suggesting the seller believes it delivers results worth paying for.

What Brutus Does

The tool targets remote access services that organizations expose to the internet, with Fortinet explicitly called out in marketing materials. According to the listing, Brutus supports:

Targeted Protocols:

• SSH (Secure Shell)
• RDP (Remote Desktop Protocol)
• VNC (Virtual Network Computing)
• Shell-based connections

Key Features:

• Built-in scanner that identifies exposed services and potential targets
• SOCKS and HTTP proxy support with automatic rotation to avoid IP-based blocking
• Cross-platform operation (Windows, Linux, macOS) via Go implementation
• Multiple credential input formats: URL:login:password, separate IP/login/password files
• On-the-fly combo generation to create credential variations automatically

The combination of scanning and attack capabilities means Brutus can both discover targets and attempt compromise in a single workflow. Attackers don't need separate tools for reconnaissance and exploitation.

Why Fortinet Gets Targeted

Fortinet's FortiGate firewalls and VPN concentrators protect enterprise perimeters worldwide. They're frequently the first thing an attacker encounters when probing a corporate network, and they're often the last line of defense before internal resources.

Successfully brute-forcing a Fortinet VPN grants direct network access. From there, attackers can move laterally, deploy ransomware, exfiltrate data, or establish persistent backdoors. The payoff for compromising perimeter security justifies the $1,500 tool investment many times over.

Fortinet devices have also been frequent vulnerability targets over the past year. Organizations that haven't patched promptly may have attackers already positioned inside their networks—but for those that have patched, credential-stuffing remains an effective alternative entry point. Fortinet's security products themselves keep catching CVEs—a critical unauthenticated RCE in FortiSIEM (CVE-2025-64155) was another reminder that security tools aren't immune.

The Credential-Stuffing Problem

Tools like Brutus capitalize on password reuse and weak authentication. When employees use the same password across multiple services, a breach anywhere becomes a key to everywhere. Public credential dumps from past breaches feed these attacks with millions of username/password combinations to try.

The rotating proxy feature specifically counters rate-limiting defenses. Organizations that block IPs after failed login attempts find their blocking ineffective when attacks come from thousands of different addresses. Brutus automates what manual attackers would find tedious: cycling through proxies to maintain attack velocity.

On-the-fly combo generation adds another layer. If a credential dump includes "jsmith:Summer2024", Brutus can automatically try "jsmith:Summer2025", "jsmith:Winter2024", and similar variations that users commonly create when forced to change passwords.

Defensive Measures

Organizations running Fortinet (or any exposed remote access service) should assume tools like Brutus will be used against them. Defense starts with making brute-force attacks impractical:

1. Enforce multi-factor authentication - Credentials alone shouldn't grant access. MFA makes stolen passwords useless without the second factor.

2. Implement account lockout policies - Temporary lockouts after failed attempts slow attacks, though sophisticated tools work around this by distributing attempts across time.

3. Deploy rate limiting - Cap authentication attempts per source IP, per user, and globally. This won't stop distributed attacks completely but raises the cost.

4. Monitor authentication logs - Look for patterns: failed attempts across many accounts, attempts from unusual geographies, authentication activity outside business hours.

5. Use CAPTCHA or proof-of-work challenges - These impose computational costs that automated tools struggle with at scale.

6. Consider passwordless authentication - Certificate-based or hardware token authentication eliminates the credential-stuffing attack surface entirely.

7. Block known bad IP ranges - Threat intelligence feeds identify IP addresses associated with attack infrastructure. Proactive blocking reduces noise.

The Commercialization Trend

Brutus represents the ongoing professionalization of cybercrime tools. A $1,500 price tag implies customer support, updates, and perhaps even feature requests. The seller expects repeat customers who find the tool valuable enough to pay premium prices.

This commercialization lowers barriers for less technical attackers. Someone who couldn't write their own brute-force tool can buy one and start attacking within hours. The market rewards tool developers who make attacks easier, driving continued innovation in offensive capabilities.

For defenders, this means assuming attackers have access to sophisticated tooling regardless of their individual skill level. Security can't rely on attackers being unsophisticated when off-the-shelf tools handle the technical complexity.

Organizations should review their Fortinet configurations and authentication policies in light of tools explicitly designed to compromise them. The attackers buying Brutus will start using it immediately.