The Cybersecurity and Infrastructure Security Agency (CISA) is warning that China-sponsored threat actors are using Brickstorm malware to achieve long-term persistence in critical infrastructure networks.
Brickstorm is a custom Executable and Linkable Format (ELF) Go-based backdoor that allows attackers to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2).
It initiates by running checks, and maintains persistence by using a self-watching function, automatically reinstalling or restarting if disrupted.
For C2, Brickstorm uses multiple layers of encryption - HTTPS, WebSockets and nested Transport Layer Security (TLS) - to hide its communications with the cyber actors’ C2 server.
CISA warned it also uses DNS-over-HTTPS (DoH) and mimics web server functionality to blend its communications with legitimate traffic.
For remote system control, it gives cyber actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files.
Meanwhile, some samples act as a SOCKS proxy, facilitating lateral movement and allowing cyber actors to compromise additional systems.
Jon Baker, VP of threat-informed defense at AttackIQ, warned Brickstorm "excels at remaining undetected within networks"..
"The malware runs continuous health checks on itself, allowing it to reinstall and restart if tampered with, ensuring its continued operation," Baker explained. "All of this comes together to create a stealthy and resilient malware that can spread across networks and remotely take over entire systems."
Brickstorm malware used to target government, IT sectors
CISA warned China-linked threat actors are using the malware strain to target VMware vSphere platforms, mainly in the government and IT sectors. Once compromised, they can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs.
CISA said it had analyzed eight Brickstorm samples obtained from victim organizations, including one where it conducted an incident response engagement.
In this case, the agency said PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded Brickstorm malware to an internal VMware vCenter server.
They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromised the ADFS server and exported cryptographic keys. They used Brickstorm for persistent access to at least 3 September this year.
Gabrielle Hempel, security operations strategist at Exabeam, said a key concern with Brickstorm malware is that it’s “targeting control planes and not just endpoints”, making it a potent weapon in the hands of hackers.
"You’re seeing vSphere, vCenter, and authentication infrastructure being targeted, and this is strategic: once an adversary owns your hypervisor layer, your traditional EDR, NDR, and many SIEM tools become blind to this because the attacker is no longer living in normal host or network telemetry,” Hempel commented.
The US National Security Agency (NSA) is urging organizations — particularly those within critical infrastructure, government services and facilities, and IT — to use the indicators of compromise (IOCs) and detection signatures outlined in the report to detect Brickstorm backdoor activity and promptly report any compromise.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Atlassian launches new ChatGPT connector feature for Jira and ConfluenceNews The company says the new features will make it easier to summarize updates, surface insights, and act on information in Jira and Confluence
-
Technical standards bodies hope to deliver AI success with ethical development practicesNews The ISO, IEC, and ITU are working together to develop standards that can support the development and deployment of trustworthy AI systems
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
