Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Beware of hidden costs of penetration testing

Accelerating Québec’s advanced materials ecosystem

$15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » UNC5221 uses brick storm backdoors to permeate the legal and technical fields of the United States
Identity

UNC5221 uses brick storm backdoors to permeate the legal and technical fields of the United States

userBy userSeptember 24, 2025No Comments4 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

Legal Services Companies, Software as a Service (SAAS) Providers, Business Process Outsourcing (BPOs), and the US technology sector are being targeted by suspected Chinese and Nexus cyber espionage groups to provide a known backdoor called the Brickstorm.

Mandiant and Google’s Threat Intelligence Group (GTIG) in a new report shared with Hacker News that UNC5221 and closely related activities caused by China and suspected threat patients are designed to promote sustained access to victim organizations for more than a year.

The aim of Brickstorm targeting SaaS providers is to acquire data that the downstream customer environment or data SaaS provider hosts on behalf of its customers, and targeting US legal and technical fields is being appreciated to steal intellectual property to advance the development of zero-day exparrots as well as seeking to gather information related to national security and international trade.

Brickstorm was first documented last year by Tech Giant in connection with the zero-day exploitation of Ivanti Connect Secure Zero-Day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). It has also been used since at least November 2022 to target the European environment.

DFIR Retainer Service

A GO-based backdoor, BrickStorm is equipped with the ability to set up as a web server, perform file system and directory operations, upload/download, execute shell commands, and perform file operations that act as a sock relay. Use WebSockets to communicate with your Command and Control (C2) server.

Earlier this year, the US government noted that a threat cluster from the China Alliance was tracked to be tracking that APT27 (aka Emissary Panda) was tracked as overlapping with that of Silk Typhoon, UNC5221, and UTA0178. However, GTIG told Hacker News at the time that there was no sufficient evidence to confirm the links and that it treated them as two clusters.

“These intrusions will be made with a special focus on maintaining long-term stealth access by deploying backdoors to appliances that do not support traditional endpoint detection and response (EDR) tools,” GTIG said, adding that it has responded to several intrusions since March 2025.

“The actors employ lateral movement and data theft methods that generate no telemetry from minimal to no to minimize security telemetry. This, coupled with the fix of the Brickstorm Backdoor, has been left undetected in the victim environment for an average of 393 days.”

In at least one case, threat actors are allegedly exploiting the aforementioned security flaws on Ivanti Connect Secure Edge devices to obtain initial access and drop brick storms on Linux and BSD-based appliances from multiple manufacturers.

There is evidence to suggest that malware is active in development. One sample features a “delay” timer that waits for a number of future hardcoded dates before beginning contact with the C2 server. According to Google, the Brickstorm variant is deployed on internal VMware VCenter servers after a targeted organization launches incident response efforts, indicating the agility of hacking groups to maintain sustainability.

The attack is also characterized by using a malicious Java servlet filter on Apache Tomcat Server called Apache Tomcat Server to capture vCenter credentials for privilege escalation and then using it to clone the Windows Server VMS for the key.
Systems such as domain controllers, SSO identity providers, and secret vaults.

“Normally, installing filters requires modifying the configuration file to restart or reload the application. However, the actors used custom droppers to make the changes completely into memory, making them extremely stealthy and denied the need for a restart,” Google said.

CIS Build Kit

Additionally, by pivoting into the VMware infrastructure and modifying the init.D, rc.local, or SystemD files to ensure that the backdoor automatically starts when the appliance restarts, it is known to leverage valid credentials to lateral moves to pivot into the VMware infrastructure.

The main goal of the campaign is to access emails from key individuals within the victim entity, such as developers, systems administrators, and individuals involved in issues that are consistent with China’s economic and espionage interests. Brickstorm’s Socks Proxy feature is used to create tunnels and directly access applications that are deemed of interest to attackers.

Google has also developed a shell script scanner for potential victims, knowing whether it is affected by BrickStorm activity on Linux and BSD-based appliances and systems, and flagging files that match known signatures of the malware.

“The Brickstorm Campaign represents a critical threat as it focuses on its refinement, evasion of advanced enterprise security defenses, and high-value goals,” said Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, in a statement shared with Hacker News.

“The access obtained by UNC5221 allows them to pivot to downstream customers who compromised SaaS providers and discover zero-day vulnerabilities in enterprise technology, which can be used for future attacks.


Source link

#BlockchainIdentity #Cybersecurity #DataProtection #DigitalEthics #DigitalIdentity #Privacy
Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleIn “The Secrets of the Brain,” Jim Al Kariri explores the evolution of the brain over 600 million years and understands what makes us human.
Next Article YouTube recovers prohibited accounts to spread misinformation
user
  • Website

Related Posts

Beware of hidden costs of penetration testing

October 16, 2025

$15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

October 16, 2025

CISA reports flaw in Adobe AEM with perfect 10.0 score – already under active attack

October 16, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Beware of hidden costs of penetration testing

Accelerating Québec’s advanced materials ecosystem

$15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

£30m partnership between Toyota and UK to boost zero-emission vehicle research and development

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

The AI Revolution: Beyond Superintelligence – TwinH Leads the Charge in Personalized, Secure Digital Identities

Revolutionize Your Workflow: TwinH Automates Tasks Without Your Presence

FySelf’s TwinH Unlocks 6 Vertical Ecosystems: Your Smart Digital Double for Every Aspect of Life

Beyond the Algorithm: How FySelf’s TwinH and Reinforcement Learning are Reshaping Future Education

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.