Ongoing intrusions by the People’s Republic of China (PRC) state-sponsored cyber actors use BRICKSTORM malware, the Cybersecurity and Infrastructure Security Agency (CISA) said.
BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments that allows cyber threat actors to maintain stealthy access into victim systems. CISA said the primary targets for the malware are those in the government services and facilities and information technology sectors. BRICKSTORM provides threat actors with the capability for initiation, persistence, and secure command and control. The malware uses advanced functionality, including multiple layers of encryption, DNS-over HTTPS to conceal communications, and a SOCKS proxy to facilitate lateral movement and tunneling within victim networks.
BRICKSTORM also uses long-term persistence mechanisms including a self-monitoring function that automatically reinstalls or restarts the malware if disrupted.
Officials said the initial access vector varies with one confirmed compromise accessing a web server inside the organization’s demilitarized zone and moving laterally to an intern VMware vCenter server to implant the BRICKSTORM malware.
Once the malware has obtained access to the victim systems, cyber actors can obtain and use legitimate credentials through system backups or Active Directory database capturing. Cyber actors then target VMware vSphere platforms to steal cloned virtual machine snapshots for credential extraction and create hidden rogue virtual machines to evade detection.
A joint report from CISA, the National Security Agency, and the Canadian Cyber Security Centre, the Malware Analysis Report BRICKSTORM Backdoor, analyzes the BIRCKSTORM sample that CISA obtained during a recent incident response. The MAR also discusses other BRICKSTORM samples that exhibit variations on functionality and capabilities.
CISA recommends network defenders look for existing intrusions by scanning for BRICKSTORM, blocking unauthorized DNS-over-HTTPS (DoH) and blocking external DoH network traffic, taking inventory of all network edge devices and monitoring for suspicious network connectivity, and ensuring proper network segmentation that restricts network traffic from the DMZ to the internal network.