Chinese state-sponsored hackers are reportedly targeting VMware’s vCenter and ESXi servers utilizing a malware known as BRICKSTORM, which allows them to maintain long-term access within victim networks. This warning comes from a joint report issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and Canada’s Cyber Centre. The primary focus of these attacks appears to be organizations within government services, facilities, and the IT sector.
BRICKSTORM was first identified by researchers from Mandiant and Google’s Threat Intelligence Group back in September. They noted that the malware had remained undetected for an average of 369 days, infiltrating networks of U.S. legal service firms, SaaS providers, technology companies, and others. In one of the studied cases, attackers had established a backdoor within a VMware vCenter server that went unnoticed for more than 18 months, allowing extensive lateral movement across the network.
Attack Methodology
In the incidents examined, attackers initially compromised a public-facing web server; however, the specific method of this breach remains unknown. They subsequently deployed a web shell, functioning as a backdoor that permitted remote command execution on the server. From there, attackers extracted service account credentials, granting them access to domain controllers to copy the Active Directory database. They leveraged additional credentials associated with a managed service provider (MSP) to infiltrate a VMware vCenter server where they installed BRICKSTORM in the /etc/sysconfig/ directory.
Malware Functionality
According to CISA, NSA, and Canadian Cyber Centre analysts, some BRICKSTORM samples are designed to operate within virtualized environments, incorporating a virtual socket (VSOCK) interface for inter-VM communication and data exfiltration. The malware has self-monitoring features ensuring its persistence by reinstalling itself if it identifies any improper execution while blending its command-and-control (C2) communications with legitimate traffic.
BRICKSTORM enables attackers to browse the system’s file structure and execute shell commands, granting them complete control over the infected system. Its command architecture directs incoming commands to specific handlers based on the function required, which enhances its capability to manage network traffic stealthily during lateral movements.
Mitigation Recommendations
The advisory from CISA and other agencies shares several mitigation strategies:
- Upgrade VMware vSphere servers to the most recent versions.
- Apply best practices from VMware to enhance the security of vSphere environments.
- Conduct inventories of all network edge devices and monitor for suspicious network activity.
- Ensure proper network segmentation to restrict traffic between the DMZ and internal networks.
- Disable RDP and SMB protocols from the DMZ to internal ones.
- Enforce the principle of least privilege for service accounts.
- Enhance monitoring of service accounts due to their elevated privileges.
These measures are crucial to thwart risks posed by persistent threats like BRICKSTORM, especially given its stealth and capability for deep network infiltration.
For more information, you can refer to the following sources:
