The People’s Republic of China (PRC) state-sponsored threat actors have been using a backdoor called BRICKSTORM to sustain long-term persistence on compromised systems, according to information released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments,”
the agency said.
“BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command-and-control.”
The Golang-written custom implant essentially grants malicious actors interactive shell access to the system, enabling them to browse, upload, download, create, remove, and modify files.
In addition to supporting several protocols, including HTTPS, WebSockets, and nested Transport Layer Security (TLS) for command-and-control (C2), DNS-over-HTTPS (DoH) to hide communications and blend in with regular traffic, and SOCKS proxying to enable lateral movement, the malware is primarily used in attacks against governments and the information technology (IT) sectors.
The number of affected government agencies and the nature of the stolen material were not disclosed by the cybersecurity organization. Chinese hacking groups have been attacking edge network devices to access networks and cloud infrastructures, and this activity is an example of their continuous tactical innovation.
In 2024, Google Mandiant first reported BRICKSTORM in attacks connected to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). Two clusters identified as UNC5221 and a new China-nexus adversary identified by CrowdStrike as Warp Panda have been linked to the malware’s use.
Mandiant and Google Threat Intelligence Group (GTIG) reported earlier in September that they saw UNC5221 and other closely related threat activity clusters targeting legal services, software-as-a-service (SaaS) providers, business process outsourcers (BPOs), and technology sectors in the United States to distribute the malware.
According to CISA, one of the malware’s primary characteristics is its capacity to autonomously reinstall or restart itself using a self-monitoring mechanism that enables it to continue operating in the face of any possible disruption.
Threat actors are reported to have used a web shell to get access to a web server within a company’s demilitarized zone (DMZ) in one instance that was discovered in April 2024.
They then moved laterally to an internal VMware vCenter server and installed BRICKSTORM. Most insights, such as the attack’s original access vector and the time the web shell was launched, are still unclear.
It has been discovered that the attackers use access to get service account credentials and use Remote Desktop Protocol (RDP) to laterally travel to a domain controller in the DMZ to obtain Active Directory data.
To leap from the internal domain controller to the VMware vCenter server, the threat actors were able to obtain the login credentials for a managed service provider (MSP) account during the intrusion.
Additionally, according to CISA, the actors used Server Message Block (SMB) to travel laterally from the web server to two jump servers and an Active Directory Federation Services (ADFS) server, where they exfiltrated cryptographic keys. After gaining access to vCenter, the adversary was able to elevate their credentials and deploy BRICKSTORM.
