PRC Hackers Exploit BRICKSTORM for Prolonged U.S. System Breaches: CISA Reports
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently unveiled details of a backdoor known as BRICKSTORM. This malware is reportedly utilized by state-sponsored hackers from the People’s Republic of China (PRC) to maintain enduring access to compromised systems. The CISA emphasized that BRICKSTORM is a sophisticated tool designed for VMware vSphere and Windows environments.
Overview of BRICKSTORM
BRICKSTORM allows cybercriminals to execute commands and gain interactive access to systems. The malware, crafted in Golang, provides features for:
- Maintaining stealthy access to systems.
- Initiating actions without detection.
- Secure command-and-control capabilities.
Notably, BRICKSTORM supports multiple protocols such as HTTPS and nested Transport Layer Security (TLS) for command-and-control communication, effectively concealing malicious activities within regular traffic.
Targeted Sectors
The primary targets of BRICKSTORM include:
- Government agencies
- Information Technology (IT) sectors
- Legal and software-as-a-service (SaaS) providers
- Business Process Outsourcers (BPOs)
Despite the agency’s concerns, specific details about affected agencies and stolen data remain undisclosed.
Historical Context and Attribution
BRICKSTORM was first identified by Google Mandiant in 2024. Its deployment is linked to the exploitation of Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The malware has been associated with two threat actor groups, UNC5221 and a new entity known as Warp Panda, which has been active since at least 2022.
Reports from early September indicate that groups like UNC5221 have targeted various sectors within the U.S. to deploy BRICKSTORM. Indicators suggest strategic evolutions in Chinese hacking techniques, particularly against edge network devices.
Attacks and Techniques
Many details surrounding the attacks remain unclear, including initial attack methods. One reported incident from April 2024 revealed attackers gaining access to a web server within a demilitarized zone (DMZ) and subsequently implanting BRICKSTORM onto a VMware vCenter server.
During their intrusions, attackers acquired service account credentials, allowing lateral movement to crucial systems like domain controllers. These operations also included:
- Utilizing Remote Desktop Protocol (RDP) for capturing Active Directory data.
- Exfiltrating cryptographic keys from environment servers.
Additional Malware and Persistence Mechanisms
Alongside BRICKSTORM, Warp Panda employs other malware such as Junction and GuestConduit, each serving specific functions within compromised environments. These tools facilitate command execution and network traffic tunneling.
The attackers maintain persistence through various techniques, including:
- Clearing logs and timestomping files.
- Creating temporary virtual machines that are decommissioned after use.
Strategic Objectives and Implications
According to CrowdStrike, Warp Panda’s operations reflect a systematic approach to establish long-term access to networks, likely for intelligence-gathering aligned with PRC interests. Furthermore, the group actively exploits access to Microsoft Azure environments, gaining entry to various services such as OneDrive and SharePoint.
In conclusion, BRICKSTORM exemplifies the evolving landscape of cybersecurity threats posed by state-sponsored groups. The continuous development and deployment of advanced malware underscore the urgent need for robust security measures within vulnerable sectors. As the situation unfolds, organizations must remain vigilant against such sophisticated cyber threats.
