The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People’s Republic of China (PRC) to maintain long-term persistence on compromised systems.
“BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments,” the agency said. “BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command-and-control.”
Written in Golang, the custom implant essentially gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files
The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement.
The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen. The activity represents an ongoing tactical evolution of Chinese hacking groups, which have continued to strike edge network devices to breach networks and cloud infrastructures.
In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not “encourage, support or connive at cyber attacks.”
BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda.
Earlier this September, Mandiant and Google Threat Intelligence Group (GTIG) said they observed legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. being targeted by UNC5221 and other closely related threat activity clusters to deliver the malware.
A key feature of the malware, per CISA, is its ability to automatically reinstall or restart itself by means of a self-monitoring function that allows its continued operation in the face of any potential disruption.
In one case detected in April 2024, the threat actors are said to have accessed a web server inside an organization’s demilitarized zone (DMZ) using a web shell, before moving laterally to an internal VMware vCenter server and implanting BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed.
The attackers have also been found to leverage the access to obtain service account credentials and laterally move…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
