Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. "BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments," the agency said. "
Analysis Summary
# Threat Actor: PRC State-Sponsored Threat Actors (Associated with UNC5221 and Warp Panda)
## Attribution & Identity
The threat actors are state-sponsored and attributed to the People's Republic of China (PRC).
**Known Aliases/Associated Groups:**
* UNC5221 (Tracked by Google Mandiant)
* Warp Panda (New China-nexus adversary tracked by CrowdStrike)
## Activity Summary
The actors use the sophisticated backdoor **BRICKSTORM** to achieve long-term persistence on compromised systems, particularly within VMware vSphere and Windows environments. This activity represents an ongoing tactical evolution of Chinese hacking groups, focusing on striking edge network devices to breach internal networks and cloud infrastructures. The actors seek stealthy access for initiation, persistence, and secure command-and-control. Initial access methods remain largely unknown, but one documented case involved compromising a web server in a DMZ, moving laterally to a VMware vCenter server, and implanting BRICKSTORM.
## Tactics, Techniques & Procedures
- **Persistence/Evasion:** Utilizing the BRICKSTORM backdoor, which features a **self-monitoring function** allowing it to automatically reinstall or restart to maintain continuous operation.
- **Command and Control (C2):** Uses multiple protocols including HTTPS, WebSockets, and nested TLS. Conceals C2 communications using **DNS-over-HTTPS (DoH)**.
- **Lateral Movement:** Can act as a **SOCKS proxy** to facilitate lateral movement. In specific observed intrusions, actors used:
- Remote Desktop Protocol (RDP) to move from a DMZ domain controller to acquire Active Directory information.
- Server Message Block (SMB) to move from the initial web server to jump servers and an ADFS server.
- **Credential Access:** Obtained **service account credentials** and credentials for a **managed service provider (MSP) account** to facilitate internal pivoting.
- **Discovery/Exfiltration:** Exfiltrated cryptographic keys from an Active Directory Federation Services (ADFS) server.
- **Initial Foothold (Potential):** Documented use of a **web shell** to gain access to a DMZ web server.
- **Malware:** Deployment of **BRICKSTORM** (a Golang-based sophisticated backdoor).
## Targeting
- **Sectors:** Governments, Information Technology (IT), Legal Services, Software-as-a-Service (SaaS) Providers, Business Process Outsourcers (BPOs), and Technology sectors.
- **Geography:** U.S. systems are explicitly mentioned as targets.
- **Victims:** Affected organizations include government agencies and IT infrastructure providers. The activity has also been linked to exploitation of Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in connection with previous Mandiant observations.
## Tools & Infrastructure
- **Malware Families Used:** BRICKSTORM (Custom backdoor written in Golang).
- **Infrastructure:** Utilizes C2/communications mechanisms that blend with normal traffic, including DoH, HTTPS, and WebSockets.
## Implications
The use of BRICKSTORM signals an ongoing tactical evolution among PRC-linked actors, emphasizing long-term, stealthy persistence within critical infrastructure environments (like VMware vSphere) and cloud settings. The complexity of the implant and its self-healing capability make detection and eradication difficult. Successful use of MSP accounts for lateral movement highlights risks associated with third-party vendor access.
## Mitigations
* Monitor VMware vSphere and Windows environments for signs of BRICKSTORM activity.
* Investigate and hunt for the BRICKSTORM binary, which is written in Golang.
* Review logs for anomalous use of RDP and SMB for lateral movement, particularly leading to domain controllers and ADFS servers.
* Ensure strong security controls around service and MSP account credentials to prevent leveraging them for internal network pivoting.
* Monitor outbound network traffic for non-standard communications protocols or traffic patterns characteristic of DoH or WebSockets used for C2.
* Investigate any initial compromise linked to web shell activity on exposed web servers, especially in DMZs.