"This has in many cases made it difficult for the researchers to establish the initial access vector, but in at least one case the threat actor is believed to have exploited an Ivanti product zero-day vulnerability. The attackers have deployed the BrickStorm malware on various types of appliances, many of which do not support traditional EDR and other security solutions. Mandiant has seen BrickStorm on Linux- and BSD-based appliances."
""While BRICKSTORM has been found on many appliance types, UNC5221 consistently targets VMware vCenter and ESXi hosts. In multiple cases, the threat actor deployed BRICKSTORM to a network appliance prior to pivoting to VMware systems," Mandiant explained. "The actor moved laterally to a vCenter server in the environment using valid credentials, which were likely captured by the malware running on the network appliances.""
Chinese affiliated cyber actors deployed the BrickStorm backdoor to maintain long-term access to high-value networks across legal services, SaaS, technology, and BPO sectors. Operators averaged 393 days of dwell time, complicating identification of initial access, though at least one intrusion likely exploited an Ivanti product zero-day. BrickStorm was deployed to diverse network appliances, many lacking traditional EDR or security solutions, and has been observed on Linux- and BSD-based devices. The appliances enabled credential capture and lateral movement to VMware vCenter and ESXi hosts, where attackers used valid credentials to pivot and persist. Activity has been monitored since March 2025 and linked to UNC5221 and related Chinese actors.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]