Chinese state-sponsored cyber actors have been conducting a prolonged and sophisticated cyber espionage campaign, utilizing a custom malware toolkit known as BRICKSTORM to infiltrate and maintain persistent access to critical network infrastructure. This campaign, attributed to the Advanced Persistent Threat (APT) group VerdantBamboo—also identified as WARP PANDA and UNC5221—has been active for over 18 months, targeting firewalls, storage systems, and network appliances with remarkable stealth and precision.
Discovery and Initial Intrusion
The campaign came to light when unusual network traffic was detected emanating from a Linux-based virtual machine within a corporate network. This device, an Egnyte Storage Sync appliance designed to synchronize local files with cloud storage, was observed communicating with an external domain controlled by the attackers. Notably, the appliance utilized Cloudflare IP addresses and Google’s public DNS server at 8.8.8.8 to resolve queries over HTTPS, effectively masking the malicious activity.
Further investigation by cybersecurity firm Volexity revealed that VerdantBamboo had maintained undetected access to the victim’s network for at least 18 months. The attackers had not only compromised the organization’s internal systems but had also infiltrated their Managed Services Provider (MSP). This secondary breach provided VerdantBamboo with administrative credentials and detailed knowledge of the internal infrastructure, enabling them to bypass standard security controls and establish a persistent foothold within the victim’s environment.
BRICKSTORM Malware: Design and Deployment
BRICKSTORM serves as VerdantBamboo’s primary tool for maintaining control over compromised systems. Crafted in the Go programming language, BRICKSTORM features a modular architecture that allows for customization tailored to specific target devices. This design enables the malware to operate effectively in environments lacking traditional security monitoring tools.
On the Egnyte appliance, BRICKSTORM was strategically placed in the /usr/sbin/ directory and manually executed by the threat actors as needed. The attackers exploited a misconfigured sudo rule to gain elevated privileges, facilitating the malware’s operation. Similarly, on the MSP’s pfSense firewall—a FreeBSD-based system—a variant of BRICKSTORM was deployed. This version was obfuscated using a tool called gobfuscate and configured to run automatically through a modified cron startup file.
Advanced Persistence and Evasion Techniques
VerdantBamboo demonstrated advanced persistence and evasion techniques throughout their campaign. After the initial compromise was identified and the affected appliances were taken offline, the attackers leveraged stolen administrative credentials to access the victim’s exposed firewall. They established their own Virtual Private Network (VPN) tunnel and deployed a new backdoor onto a Synology Network Attached Storage (NAS) device. This adaptive approach allowed them to re-enter the network and maintain their presence despite remediation efforts.
BRICKSTORM’s command-and-control (C2) infrastructure is particularly resilient. The malware utilizes DNS-over-HTTPS (DoH) to resolve malicious domains through legitimate public resolvers such as Cloudflare and Google. This technique effectively conceals DNS lookups from standard monitoring systems. Once a C2 server is identified, BRICKSTORM establishes a connection using standard HTTPS, which is then upgraded to a WebSocket connection nested with additional layers of Transport Layer Security (TLS) encryption. This complex tunneling method allows attackers to run multiple data streams, including interactive shells and file transfers, within a single encrypted connection, thereby evading detection.
Implications and Recommendations
The VerdantBamboo campaign underscores the evolving sophistication of state-sponsored cyber operations and the critical need for organizations to implement robust detection and response capabilities. The use of BRICKSTORM to target network appliances and firewalls highlights the importance of securing these devices, which are often overlooked in traditional cybersecurity strategies.
Organizations are advised to:
– Regularly Update and Patch Systems: Ensure that all network appliances, firewalls, and storage systems are up-to-date with the latest security patches to mitigate known vulnerabilities.
– Monitor Network Traffic: Implement comprehensive monitoring to detect unusual network activity, such as unexpected communications with external domains or the use of DoH for DNS resolution.
– Review and Harden Configurations: Assess and strengthen the configurations of critical systems to prevent exploitation of misconfigurations, such as improper sudo rules or default credentials.
– Enhance Incident Response Plans: Develop and regularly test incident response plans to ensure swift identification, containment, and remediation of potential breaches.
By adopting these measures, organizations can bolster their defenses against sophisticated threats like BRICKSTORM and reduce the risk of prolonged undetected intrusions.
