CISA alerts on BRICKSTORM backdoor for VMware vSphere and Windows

BRICKSTORM is a backdoor that targets VMware vSphere and Windows environments and is used by People’s Republic of China (PRC) state-sponsored cyber actors to maintain long-term, stealthy access on victim systems.

The malware implements multiple communications and persistence techniques, including HTTPS, WebSockets, and nested Transport Layer Security (TLS); DNS-over-HTTPS (DoH) to conceal traffic; a SOCKS proxy to support lateral movement and tunneling; and a self-monitoring function that can automatically reinstall or restart the malware if disrupted. In one confirmed incident, actors gained entry to a web server inside the organization’s Demilitarized Zone (DMZ), moved laterally to an internal VMware vCenter server, and then implanted BRICKSTORM. CISA obtained a sample during an incident response engagement and references a joint Malware Analysis Report (MAR) BRICKSTORM Backdoor that analyzes that sample and seven additional BRICKSTORM samples exhibiting variations in functionality. Victim organizations are noted as primarily in the Government Services and Facilities and Information Technology Sectors.

The advisory states BRICKSTORM provides capabilities for initiation, persistence, and secure command and control, enabling threat actors to maintain stealthy access. The malware’s use of encrypted channels and DoH is described as concealing communications, and the incorporated SOCKS proxy is noted as facilitating lateral movement and tunneling within victim networks. The self-monitoring mechanism is reported to reinstate or restart malware to ensure continued operation. After access, actors obtain and use legitimate credentials through system backups or by capturing Active Directory database information to exfiltrate sensitive information, and they target VMware vSphere platforms to steal cloned Virtual Machine (VM) snapshots for credential extraction and create hidden rogue Vulnerability Management System (VMS) instances to evade detection.

The advisory states CISA recommends that network defenders hunt for existing intrusions and mitigate further compromise. It directs defenders to scan for BRICKSTORM using CISA-created YARA and Sigma rules as described in the joint MAR BRICKSTORM Backdoor; to block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic; to take inventory of all network edge devices and monitor for any suspicious network connectivity originating from those devices; and to ensure proper network segmentation that restricts network traffic from the DMZ to the internal network.

The advisory refers readers to the joint MAR BRICKSTORM Backdoor for additional detection resources and instructs that if BRICKSTORM, similar malware, or potentially related activity is detected, the incident should be reported to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.