The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor called BRICKSTORM that state-sponsored attackers from the People’s Republic of China (PRC) are using to maintain compromised systems for extended periods of time.
“BRICKSTORM is an advanced backdoor for VMware vSphere and Windows environments,” the agency said. “BRICKSTORM enables cyber attackers to maintain stealth access and provides initiation, persistence, and secure command and control capabilities.”
A custom implant written in Golang essentially gives a malicious attacker interactive shell access on the system, allowing them to browse, upload, download, create, delete, and manipulate files.
The malware is primarily used for attacks targeting the government and information technology (IT) sectors, and also supports multiple protocols such as command and control (C2), HTTPS for DNS-over-HTTPS (DoH), WebSockets, and nested Transport Layer Security (TLS) to hide communications and blend in with normal traffic. It can also act as a SOCKS proxy to facilitate lateral movement.
The Cybersecurity Agency did not say how many government agencies were affected or what type of data was stolen. This activity represents a continued evolution in the tactics of the Chinese hacker group, which continues to attack edge network devices to penetrate networks and cloud infrastructure.
In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, saying the Chinese government “does not encourage, support or condone cyber attacks.”
BRICKSTORM was first documented by Google Mandiant in 2024 as an attack related to zero-day exploitation of zero-day vulnerabilities in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887). The use of this malware is believed to be due to two clusters tracked as UNC5221 and a new China-related adversary tracked by CrowdStrike as Warp Panda.
In early September of this year, Mandiant and the Google Threat Intelligence Group (GTIG) announced that they observed the US legal services, software-as-a-service (SaaS) providers, business process outsourcers (BPO), and technology sectors being targeted by UNC5221 and other closely related threat activity clusters to deliver malware.
According to CISA, the malware’s main feature is its ability to automatically reinstall or restart through self-monitoring capabilities, allowing it to continue operating in the face of potential interruptions.
In one case detected in April 2024, an attacker allegedly used a web shell to access a web server in an organization’s demilitarized zone (DMZ) and then laterally moved to an internal VMware vCenter server to implant BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed.
Attackers have also been found to use this access to obtain service account credentials and use Remote Desktop Protocol (RDP) to move laterally to domain controllers in the DMZ to obtain Active Directory information. During the compromise, the attackers were able to obtain credentials for a managed service provider (MSP) account and used those credentials to jump from an internal domain controller to a VMware vCenter server.
CISA said the attackers also used Server Message Block (SMB) to move laterally from the web server to two Jump servers and one Active Directory Federation Services (ADFS) server, stealing encryption keys from the latter. Access to vCenter ultimately allowed the attacker to escalate privileges and then deploy BRICKSTORM.
“BRICKSTORM uses custom handlers to configure SOCKS proxies, create web servers on compromised systems, and execute commands on compromised systems,” it said, adding that some artifacts “use the Virtual Sockets (VSOCK) interface to enable VM-to-VM connectivity and are designed to work in virtualized environments.” [virtual machine] It communicates, facilitates data retrieval, and maintains persistence. ”
Warp Panda uses BRICKSTORM for US corporations
In its analysis of Warp Panda, CrowdStrike said it detected multiple intrusions targeting the VMware vCenter environments of U.S.-based legal, technology, and manufacturing companies this year, leading to the deployment of BRICKSTORM. The group is believed to have been active since at least 2022.
“Warp Panda has demonstrated advanced technical capabilities, advanced operational security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments,” the company said. “Warp Panda exhibits a high level of stealth and is almost certainly focused on maintaining persistent, long-term covert access to compromised networks.”
Evidence suggests that the hacking group first gained access to one entity in late 2023. Also deployed in the attack alongside BRICKSTORM are two previously undocumented Golang implants: Junction and GuestConduit on ESXi hosts and guest VMs, respectively.
Junctions act as HTTP servers that listen for incoming requests and support a wide range of functionality, including executing commands, proxying network traffic, and interacting with guest VMs over VM sockets (VSOCKs). GuestConduit, on the other hand, is a network traffic tunneling implant that resides inside the guest VM and establishes a VSOCK listener on port 5555. Its primary role is to facilitate communication between guest VMs and the hypervisor.
The first access method involves exploiting an internet-facing edge device to migrate into the vCenter environment using valid credentials or by exploiting a vulnerability in vCenter. Lateral movement is achieved using SSH and the privileged vCenter management account ‘vpxuser’. The hacking team also used Secure File Transfer Protocol (SFTP) to move data between hosts.
Some of the exploited vulnerabilities are listed below.
The entire modus operandi revolves around maintaining stealth by clearing logs, timestamping files, and creating rogue VMs that are shut down after use. BRICKSTORM is used to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs under the guise of benign vCenter processes.
Similar to the details shared by CISA, CrowdStrike noted that the attackers used access to the vCenter server to clone domain controller VMs, possibly with the goal of harvesting the Active Directory Domain Services database. Threat actors have also been found accessing the email accounts of employees who work in fields aligned with the interests of the Chinese government.
“Warp Panda likely used its access to one of the compromised networks to conduct rudimentary reconnaissance against government agencies in the Asia-Pacific region,” the company said. “We were also connected to various cybersecurity blogs and Mandarin GitHub repositories.”
Another important aspect of Warp Panda’s work is its focus on establishing persistence and accessing sensitive data in cloud environments. CrowdStrike characterized it as a “cloud-aware adversary” and said the attackers exploited access to companies’ Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange.
In at least one incident, hackers were able to obtain user session tokens by exfiltrating user browser files and tunneled traffic through the BRICKSTORM implant, accessing Microsoft 365 services through session replay attacks, and downloading SharePoint files related to the organization’s network engineering and incident response teams.
Attackers also perform additional methods of setting persistence, such as registering new multi-factor authentication (MFA) devices through the Authenticator app code after initially logging into a user account. Another intrusion used the Microsoft Graph API to enumerate service principals, applications, users, directory roles, and emails.
“The adversary is primarily targeting organizations in North America, maintains continued covert access to compromised networks, and is likely to support intelligence gathering activities aligned with China’s strategic interests,” CrowdStrike said.
Source link
