Chinese state-sponsored hackers have recently targeted VMware vCenter and ESXi servers using malware known as BRICKSTORM to maintain long-term access within compromised networks. According to a joint report from CISA, NSA, and the Canadian Cyber Security Centre, various sectors, particularly government services and IT, have been primarily affected.
Initially highlighted by Mandiant and Google’s Threat Intelligence Group in September, BRICKSTORM was observed averaging 369 days of undetected presence within US legal firms and SaaS providers, among others. CISA has analyzed multiple samples of the malware, finding it deployed on a VMware vCenter server that had been compromised for over a year and a half, allowing attackers to traverse the network laterally.
Attack Vector
The investigation by CISA revealed attackers compromised a public-facing web server, employing a backdoor web shell to execute commands remotely. After obtaining service account credentials, they accessed a domain controller and duplicated the Active Directory database. By leveraging credentials from a managed service provider, attackers breached a VMware vCenter server and installed BRICKSTORM in the system’s configuration directory.
Malware Features
BRICKSTORM is particularly adept in virtualized environments, creating a virtual socket interface for effective inter-VM communication and data exfiltration. When executed, it checks its operational environment, ensuring it runs as a child process from designated paths. This self-monitoring feature grants it resilience against termination, allowing it to reinstall and execute itself if conditions deviate from the norm.
The malware operates similarly to a web server for command-and-control communications, camouflaging its traffic. It also includes a SOCKS5 proxy for routing traffic during lateral movements.
Upon establishing a secure connection with its C2 domain, BRICKSTORM utilizes a customized Go package for managing incoming network connections and processing commands. Command direction varies based on function, handled by designated handlers.
Recommendations
In response to these findings, the advisory includes indicators of compromise and suggests several mitigations:
- Upgrade VMware vSphere to the latest version.
- Strengthen VMware vSphere environments per VMware’s recommendations.
- Conduct a comprehensive inventory of network edge devices and monitor for any unusual connectivity.
- Ensure robust network segmentation to limit traffic between the DMZ and internal networks.
- Disable RDP and SMB protocols from the DMZ to internal networks.
- Apply the principle of least privilege to service accounts, restricting permissions to only what’s necessary.
- Heighten monitoring of service account activities to identify predictable patterns.
- Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH traffic to reduce unmonitored communications.
These measures aim to bolster defenses against such sophisticated threats and mitigate potential risks to organizational security.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.