Key points
- Chinese state-sponsored threat actors are using a malware program called BRICKSTORM to backdoor VMware vCenter and VMware ESXi servers, allowing them to maintain long-term persistence in victim networks.
- The malware has been found in the networks of organizations in the government services and facilities, and IT sectors, and has remained undetected for an average of 369 days.
- To mitigate the threat, organizations are advised to upgrade their VMware vSphere servers, harden their VMware vSphere environments, and implement proper network segmentation and monitoring.
According to a joint report by the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre), Chinese state-sponsored threat actors are using a malware program written in Go to backdoor VMware vCenter and VMware ESXi servers. The malware, known as BRICKSTORM, allows the attackers to maintain long-term persistence in victim networks, and has been found in the networks of organizations in the government services and facilities, and IT sectors.
The report states that the malware was first reported by researchers from Mandiant and Google’s Threat Intelligence Group in September, and has been found to have remained undetected for an average of 369 days. CISA has analyzed eight separate BRICKSTORM samples, including one collected from a VMware vCenter server of an organization where the infection went undetected for over a year and a half.
The attackers originally compromised a public-facing web server, and then deployed a web shell to enable remote execution of commands on the server. From there, they were able to extract credentials for a service account and access a domain controller, where they copied the Active Directory database. The attackers then used the credentials to access another domain controller on the internal network and copy the AD database, which included credentials used by a managed service provider (MSP).
Using the MSP credentials, the attackers were able to access a VMware vCenter server and deploy the BRICKSTORM malware. The malware is designed to work in virtualized environments, and creates a virtual socket (VSOCK) interface that enables inter-VM communication and data exfiltration. It also checks the environment upon execution to ensure it’s running as a child process and from a specific path, and has self-monitoring capabilities that ensure its persistence.
The CISA, NSA, and Canadian Cyber Centre analysts note that BRICKSTORM mimics web server functionality for its command-and-control (C2) communication to blend in with legitimate traffic, and provides a SOCKS5 proxy for attackers to tunnel traffic during lateral movement operations. The malware allows threat actors to browse the file system and execute shell commands, providing them with complete control over the compromised system.
To mitigate the threat, organizations are advised to upgrade their VMware vSphere servers to the latest version, harden their VMware vSphere environments by applying VMware’s guidance, and take inventory of all network edge devices and monitor for any suspicious network connectivity originating from these devices. Additionally, organizations should ensure proper network segmentation restricts network traffic from the DMZ to the internal network, disable RDP and SMB from the DMZ to the internal network, and apply the principle of least privilege and restrict service accounts to only needed permissions. By taking these steps, organizations can help protect themselves against the BRICKSTORM malware and other similar threats.
Read the rest: Source Link
Don’t forget to check our list of Cheap Windows VPS Hosting providers, How to get Windows Server 2022, Try Windows 11 Pro for Workstations & browse Windows Azure content.
Remember to like our facebook and follow us on twitter @WindowsMode.
Discover more from Windows Mode
Subscribe to get the latest posts sent to your email.
