The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People’s Republic of China (PRC) to maintain long-term persistence on compromised systems.
“BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments,” the agency said. “BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command-and-control.”
Written in Golang, the custom implant essentially gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files
The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement.
The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen. The activity represents an ongoing tactical evolution of Chinese hacking groups, which have continued to strike edge network devices to breach networks and cloud infrastructures.
In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not “encourage, support or connive at cyber attacks.”
BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda.
Earlier this September, Mandiant and Google Threat Intelligence Group (GTIG) said they observed legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. being targeted by UNC5221 and other closely related threat activity clusters to deliver the malware.
A key feature of the malware, per CISA, is its ability to automatically reinstall or restart itself by means of a self-monitoring function that allows its continued operation in the face of any potential disruption.
In one case detected in April 2024, the threat actors are said to have accessed a web server inside an organization’s demilitarized zone (DMZ) using a web shell, before moving laterally to an internal VMware vCenter server and implanting BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed.
The attackers have also been found to leverage the access to obtain service account credentials and laterally move to a domain controller in the DMZ using Remote Desktop Protocol (RDP) so as to capture Active Directory information. Over the course of the intrusion, the threat actors managed to get the credentials for a managed service provider (MSP) account, which was then used to jump from the internal domain controller to the VMware vCenter server.
CISA said the actors also moved laterally from the web server using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys from the latter. The access to vCenter ultimately enabled the adversary to deploy BRICKSTORM after elevating their privileges.
“BRICKSTORM uses custom handlers to set up a SOCKS proxy, create a web server on the compromised system, and execute commands on the compromised system,” it said, adding some artifacts are “designed to work in virtualized environments, using a virtual socket (VSOCK) interface to enable inter-VM [virtual machine] communication, facilitate data exfiltration, and maintain persistence.”
Warp Panda Uses BRICKSTORM Against U.S. Entities
CrowdStrike, in its analysis of Warp Panda, said it has detected multiple intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities this year that have led to the deployment of BRICKSTORM. The group is believed to have been active since at least 2022.
“Warp Panda exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments,” the company said. “Warp Panda demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks.”
Evidence shows the hacking group gained initial access to one entity in late 2023. Also deployed in the attacks alongside BRICKSTORM are two previously undocumented Golang implants, namely Junction and GuestConduit, on ESXi hosts and guest VMs, respectively.
Junction acts as an HTTP server to listen for incoming requests and supports a wide range of capabilities to execute commands, proxy network traffic, and interact with guest VMs through VM sockets (VSOCK). GuestConduit, on the other hand, is a network traffic–tunneling implant that resides within a guest VM and establishes a VSOCK listener on port 5555. Its primary responsibility is to facilitate communication between guest VMs and hypervisors.
Initial access methods involve the exploitation of internet-facing edge devices to pivot to vCenter environments, either using valid credentials or abusing vCenter vulnerabilities. Lateral movement is achieved by using SSH and the privileged vCenter management account “vpxuser.” The hacking crew has also used the Secure File Transfer Protocol (SFTP) to move data between hosts.
Some of the exploited vulnerabilities are listed below –
The entire modus operandi revolves around maintaining stealth by clearing logs, timestomping files, and creating rogue VMs that are shut down after use. BRICKSTORM, masquerading as benign vCenter processes, is employed to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs.
Similar to details shared by CISA, CrowdStrike noted that the attackers used their access to vCenter servers to clone domain controller VMs, possibly in a bid to harvest the Active Directory Domain Services database. The threat actors have also been spotted accessing the email accounts of employees who work in areas that align with Chinese government interests.
“Warp Panda likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity,” the company said. “They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository.”
Another significant aspect of Warp Panda’s activities is their focus on establishing persistence in cloud environments and accessing sensitive data. Characterizing it as a “cloud-conscious adversary,” CrowdStrike said the attackers exploited their access to entities’ Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange.
In at least one incident, the hackers managed to get hold of user session tokens, likely by exfiltrating user browser files and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via a session replay attack and download SharePoint files related to the organization’s network engineering and incident response teams.
The attackers have also engaged in additional ways to set up persistence, such as by registering a new multi-factor authentication (MFA) device through an Authenticator app code after initially logging into a user account. In another intrusion, the Microsoft Graph API was used to enumerate service principals, applications, users, directory roles, and emails.
“The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests,” CrowdStrike said.
