The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security have jointly issued a critical advisory concerning a sophisticated malware campaign orchestrated by state-sponsored actors from the People’s Republic of China (PRC). This campaign introduces BRICKSTORM, a custom backdoor meticulously designed to infiltrate and persist within VMware vSphere and Windows environments, posing a significant threat to government and information technology networks.
Understanding BRICKSTORM’s Capabilities
BRICKSTORM is a Go-based backdoor that exhibits advanced techniques to evade detection and maintain long-term control over compromised systems. Its primary targets include VMware vCenter servers and ESXi hosts, enabling attackers to manipulate virtual machines (VMs) directly. This deep integration into virtualized infrastructures allows for extensive surveillance and potential disruption of critical operations.
Advanced Command-and-Control Mechanisms
One of BRICKSTORM’s most notable features is its resilient command-and-control (C2) infrastructure. The malware utilizes DNS-over-HTTPS (DoH) to resolve malicious domains through legitimate public resolvers such as Cloudflare and Google. This approach effectively camouflages its traffic within normal network activities, making detection challenging.
Upon identifying a C2 server, BRICKSTORM establishes a connection using standard HTTPS protocols, which is then upgraded to a WebSocket connection layered with additional Transport Layer Security (TLS) encryption. This complex tunneling method, often employing multiplexing libraries like smux or Yamux, allows attackers to run multiple data streams—such as interactive shells and file transfers—within a single encrypted connection.
Documented Incidents and Attack Vectors
The advisory details a specific incident where PRC actors maintained access to a victim’s network from April 2024 through at least September 2025. The attack sequence unfolded as follows:
1. Initial Compromise: Attackers infiltrated a web server located in the organization’s Demilitarized Zone (DMZ).
2. Lateral Movement: From the DMZ, the attackers moved laterally to internal domain controllers and an Active Directory Federation Services (ADFS) server.
3. Deployment of BRICKSTORM: The malware was deployed onto a VMware vCenter server, granting the attackers the ability to steal VM snapshots, extract credentials, and potentially create unauthorized VMs that operate alongside legitimate ones.
4. Compromise of ADFS Server: The attackers successfully compromised the ADFS server to export cryptographic keys, a breach that could allow for the forging of authentication tokens.
Key Features of BRICKSTORM
– Self-Preservation: The malware includes a self-watcher function that automatically reinstalls the malware if the process is terminated or disrupted, ensuring persistent access.
– Protocol Tunneling: BRICKSTORM implements SOCKS proxies to tunnel traffic via TCP, UDP, and ICMP, facilitating stealthy lateral movement across segmented networks.
– Virtualization Targeting: Certain variants use Virtual Socket (VSOCK) interfaces for inter-VM communication, allowing data exfiltration without standard network monitoring.
Recommendations for Mitigation
CISA and its partners strongly urge organizations, especially those within government and critical infrastructure sectors, to take immediate action to detect and mitigate BRICKSTORM infections. Recommended steps include:
1. Upgrade VMware vSphere Servers: Ensure that VMware vSphere servers are updated to the latest versions to patch known vulnerabilities.
2. Restrict Network Connectivity: Limit network connectivity from edge devices to internal resources to reduce potential attack vectors.
3. Block Unauthorized DoH Traffic: Implement measures to block unauthorized DNS-over-HTTPS traffic, preventing the malware from resolving its C2 infrastructure.
4. Monitor Service Accounts: Increase monitoring of service accounts, which have been heavily abused during observed attacks, to detect unauthorized activities.
Conclusion
The emergence of BRICKSTORM underscores the evolving sophistication of state-sponsored cyber threats targeting virtualized environments. Organizations must adopt a proactive and comprehensive cybersecurity strategy to defend against such advanced persistent threats. By implementing the recommended mitigation measures and maintaining vigilant monitoring, entities can enhance their resilience against BRICKSTORM and similar malware campaigns.
Twitter Post:
Alert: CISA, NSA, and Canadian Cyber Centre warn of BRICKSTORM malware targeting VMware vSphere and Windows. Organizations urged to upgrade and monitor systems. #CyberSecurity #BRICKSTORM #VMware
Focus Key Phrase:
BRICKSTORM malware targeting VMware vSphere and Windows
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
