Hidden “BRICKSTORM” Backdoor Uncovered in Network Framework

Stealthy “BRICKSTORM” Backdoor Imperils Network Infrastructure

The BRICKSTORM Threat Landscape

Google’s Threat Intelligence Group (GTIG) and Mandiant have provided insights into a complex backdoor surveillance malware named BRICKSTORM. Associated with the Chinese UNC5221 advanced persistent threat (APT), this malware has been operational since March, demonstrating an impressive capability to remain undetected for an average of 393 days in compromised networks.

Focus on Network Infrastructure

BRICKSTORM specifically targets network devices like firewalls, virtual private network (VPN) concentrators, and virtualization platforms such as VMware vCenter. These intrusions are designed to secure long-term, covert access, installing backdoors on devices that typically lack endpoint detection and response (EDR) capabilities.

Stealth and Obfuscation Techniques

This malware employs obfuscation methods, uses disposable command and control (C2) domains, and integrates fluidly with device workflows, thus complicating detection efforts. Such tactics enable it to avoid typical security defenses.

Espionage and Data Exfiltration

BRICKSTORM emphasizes data exfiltration, utilizing the SOCKS network protocol to bypass firewalls and security measures. It also engages in geopolitical surveillance and theft of intellectual property, aiding in the development of exploits. Among the sensitive information collected are admin mailboxes from compromised systems.

Relation to Other APT Groups

While BRICKSTORM’s operations suggest links to known factions like Silk Typhoon or Hafnium, Google-Mandiant proposes that it may represent a separate APT due to its specific targeting strategies.

Efforts in Detection

Mandiant has taken significant steps to facilitate detection by releasing a BRICKSTORM scanning Bash script on GitHub, suitable for Linux and BSD-based systems, offering an invaluable resource for cybersecurity experts.

Conclusion

The identification of the BRICKSTORM backdoor underlines the changing threat landscape in cyber espionage aimed at network infrastructure. With its extended persistence and intricate stealth strategies, it presents a considerable challenge for detection and countermeasures.

Q: What is BRICKSTORM?

A: BRICKSTORM is a surveillance malware associated with the China-linked UNC5221 APT, recognized for its prolonged persistence in networks and stealth methods.

Q: Why is BRICKSTORM challenging to detect?

A: It uses obfuscation, disposable C2 domains, and seamlessly integrates with device workflows to evade detection.

Q: What are the main targets of BRICKSTORM?

A: It targets network appliances like firewalls and virtualization platforms, as well as sectors such as legal services, BPOs, and SaaS providers.

Q: How can organizations defend against BRICKSTORM?

A: By utilizing advanced detection tools such as the BRICKSTORM scanning script from Mandiant and enhancing network security protocols.

Q: Is BRICKSTORM connected to any other APT groups?

A: It may be associated with groups like Silk Typhoon or Hafnium, but it also shows distinctive targeting patterns indicating a separate APT.

Q: What is the primary goal of BRICKSTORM?

A: The primary goal is data exfiltration, along with geopolitical espionage and theft of intellectual property.