""BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments," the agency said. "BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command-and-control." Written in Golang, the custom implant essentially gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files"
"The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement. The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen."
"In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not "encourage, support or connive at cyber attacks." BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda."
CISA released details of BRICKSTORM, a sophisticated backdoor targeting VMware vSphere and Windows environments. BRICKSTORM is written in Golang and provides interactive shell access and comprehensive file operations, enabling actors to browse, upload, download, create, delete, and manipulate files. The implant supports HTTPS, WebSockets, nested TLS, DNS-over-HTTPS, and SOCKS proxy functionality to conceal communications, enable secure command-and-control, and facilitate lateral movement. The malware has primarily targeted government and information technology sectors and has been linked to exploitation of Ivanti Connect Secure zero-days (CVE-2023-46805 and CVE-2024-21887). Attribution points to clusters UNC5221 and a China-nexus actor tracked as Warp Panda; China denied involvement.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]