home.social

#brickstorm — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #brickstorm, aggregated by home.social.

  1. VMware vSphere Ecosystem Targeted by BRICKSTORM Malware Attacks

    Imagine an attacker sneaking past your trusted operating system and into the hidden infrastructure that powers your virtual machines - that's the risk posed by BRICKSTORM malware, which targets the VMware vSphere ecosystem. This stealthy threat allows adversaries to operate undetected, evading traditional endpoint tools by establishing…

    osintsights.com/vmware-vsphere

    #Brickstorm #Vmware #Vsphere #VcenterServerAppliance #Esxi

  2. BRICKSTORM Backdoor

    "The Cybersecurity and Infrastructure Security Agency (CISA) analyzed eight BRICKSTORM samples obtained from victim organizations. BRICKSTORM is a custom Executable and Linkable Format (ELF) Go-based backdoor. "

    MISP standard and STIX files available at the following location:

    🔗 cti-transmute.org/convert/deta

    @misp
    @cisacyber

    #backdoor #cti #brickstorm #malware #threatintel #threatintelligence #cybersecurity

  3. Brickstorm – backdoor po cichu wykradający dane z systemów amerykańskich organizacji

    Brickstorm to backdoor napisany w Go. Pierwsze wzmianki o nim pojawiły się w kwietniu 2024 roku. Malware pełnił funkcję serwera WWW, narzędzia do manipulacji plikami, droppera, przekaźnika SOCKS oraz narzędzia do wykonywania poleceń powłoki. Badacze przypisali te ataki klastrowi aktywności grupy UNC5221, znanej z wykorzystywania podatności typu zero-day w produktach...

    #WBiegu #Awareness #Backdoor #Brickstorm

    sekurak.pl/brickstorm-backdoor

  4. "Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology. The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.

    We attribute this activity to UNC5221 and closely related, suspected China-nexus threat clusters that employ sophisticated capabilities, including the exploitation of zero-day vulnerabilities targeting network appliances. While UNC5221 has been used synonymously with the actor publicly reported as Silk Typhoon, GTIG does not currently consider the two clusters to be the same.

    These intrusions are conducted with a particular focus on maintaining long-term stealthy access by deploying backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools. The actor employs methods for lateral movement and data theft that generate minimal to no security telemetry. This, coupled with modifications to the BRICKSTORM backdoor, has enabled them to remain undetected in victim environments for 393 days, on average. Mandiant strongly encourages organizations to reevaluate their threat model for appliances and conduct hunt exercises for this highly evasive actor. We are sharing an updated threat actor lifecycle for BRICKSTORM associated intrusions, along with specific and actionable steps organizations should take to hunt for and protect themselves from this activity."

    cloud.google.com/blog/topics/t

    #CyberSecurity #China #Surveillance #Brickstorm #Malware #USA #ZeroDays

  5. Google China-linked hackers (#UNC5221) are targeting US SaaS and tech firms using the new BRICKSTORM malware, exploiting zero-day flaws, Mandiant has found.

    Read: hackread.com/china-hackers-hit

    #CyberSecurity #BRICKSTORM #0Day #InfoSec #APT #CyberAttack

  6. Chinese threat actor UNC5221 has significantly upgraded their BRICKSTORM malware with triple-layer encryption that renders most security monitoring ineffective, according to NVISO Security. Now targeting both Linux and Windows environments, this sophisticated threat uses traffic tunneling instead of direct command execution to avoid detection. European strategic industries are primary targets.

    #SecurityLand #CyberWatch #CyberSecurity #ThreatIntelligence #APT #Brickstorm

    security.land/brickstorm-malwa

  7. Happy Tuesday everyone!

    In Part 4 of the "Investigating Ivanti" series, the Mandiant (now part of Google Cloud) researchers highlight how the adversaries were able to laterally move through the environment to the vCenter server. From there they created three virtual machines mimicking their naming convention to blend in with the environment they were in. Leveraging another masquerading technique, UNC5221 then downloaded their backdoor, #Brickstorm, and named it "vami-http" which looks like a legitimate vCenter process. As always, this was a very interesting read but take a look for yourself to see the details I didn't mention. Enjoy and Happy Hunting!

    Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
    cloud.google.com/blog/topics/t

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday