BRICKSTORM is a highly advanced backdoor implant employed by PRC-linked threat groups UNC5221 and Warp Panda to maintain covert, persistent access to compromised VMware vSphere and Windows systems. Written in Golang, BRICKSTORM offers interactive shell capabilities and extensive file system control, enabling attackers to browse, upload, download, create, delete, and manipulate files. It supports multiple encrypted and stealthy command-and-control (C2) channels such as HTTPS, WebSockets, nested TLS, DNS-over-HTTPS (DoH), and can establish SOCKS proxies to facilitate lateral movement within networks. The malware is designed to operate stealthily, using self-monitoring to automatically reinstall or restart itself if disrupted, and employs anti-forensic techniques like log clearing and timestomping. BRICKSTORM also leverages virtual socket (VSOCK) interfaces to communicate between virtual machines and hypervisors, enabling data exfiltration and persistence in virtualized environments. Initial access is often gained through exploitation of zero-day vulnerabilities in Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887) and VMware vCenter (multiple CVEs), or via valid credentials obtained through web shells or other means. Once inside, attackers move laterally using SMB, RDP, SSH, and privileged vCenter accounts (e.g., vpxuser), targeting domain controllers and Active Directory Federation Services (ADFS) servers to harvest credentials and cryptographic keys. The attackers also deploy additional Golang implants, Junction and GuestConduit, to facilitate command execution and network tunneling within ESXi hosts and guest VMs. Beyond on-premises infrastructure, the adversaries extend their operations into cloud environments, exploiting Microsoft Azure and Microsoft 365 services to access OneDrive, SharePoint, and Exchange data. They employ session replay attacks to hijack user sessions and register new MFA devices to maintain long-term access. The campaign focuses on sectors including government, legal, IT, SaaS providers, business process outsourcing, manufacturing, and cloud services, primarily targeting North American entities but with implications for similar organizations globally. The attackers demonstrate advanced operational security, stealth, and a strategic focus on intelligence collection aligned with PRC interests.

For European organizations, the BRICKSTORM threat poses significant risks, especially for entities operating VMware vSphere environments and using Ivanti Connect Secure or Microsoft Azure cloud services. The malware’s ability to maintain persistent, stealthy access allows attackers to conduct prolonged espionage, exfiltrate sensitive data such as cryptographic keys, Active Directory credentials, and cloud-stored information, and potentially disrupt critical IT infrastructure. Given the targeting of government, legal, IT, and manufacturing sectors in the U.S., European counterparts in these sectors are likely at risk, particularly those with similar technology stacks or strategic importance. The exploitation of zero-day vulnerabilities and credential theft increases the difficulty of detection and remediation. The threat’s capability to manipulate virtualized environments and cloud services also raises concerns about supply chain and managed service provider (MSP) security, which are prevalent in Europe. Persistent access to domain controllers and cloud identities could lead to widespread compromise, data breaches, and operational disruptions. Additionally, the attackers’ focus on intelligence collection aligns with geopolitical tensions, potentially increasing targeting of European government and critical infrastructure entities.

European organizations should prioritize patching all known vulnerabilities exploited by BRICKSTORM, including Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887) and VMware vCenter vulnerabilities (CVE-2024-38812, CVE-2023-34048, CVE-2021-22005). Implement strict network segmentation to isolate VMware management interfaces and limit access to vCenter servers and ESXi hosts. Enforce the principle of least privilege for service and administrative accounts, especially the vpxuser account, and monitor for unusual privilege escalations or lateral movement activities. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting Golang-based implants and anomalous network traffic patterns, including DNS-over-HTTPS and nested TLS communications. Monitor for suspicious use of protocols like SMB, RDP, SSH, and SFTP within internal networks. Harden cloud environments by enforcing conditional access policies, multi-factor authentication (MFA) with hardware tokens, and continuous monitoring of Microsoft Azure and Microsoft 365 activities, including unusual session token usage and new MFA device registrations. Conduct regular audits of Active Directory Federation Services (ADFS) and domain controller logs for signs of compromise. Employ deception technologies and honeypots within virtualized environments to detect rogue VM creation and suspicious VSOCK communications. Collaborate with managed service providers to ensure their security posture and monitor for MSP account misuse. Finally, invest in threat hunting and incident response capabilities focused on detecting stealthy, persistent backdoors and advanced lateral movement techniques.