"The backdoor works across Linux, VMware, and Windows environments, and while Andersen declined to attribute the malware infections to a specific People's Republic of China cyber group, he said it illustrates the threat PRC crews pose to US critical infrastructure. "State-sponsored actors are not just infiltrating networks," Andersen said. "They're embedding themselves to enable long term access, disruption, and potential sabotage.""
"In one incident that CISA responded to, the PRC goons gained access to the organization's internal network in April 2024, uploaded Brickstorm to an internal VMware vCenter server, and used the backdoor for persistent access until at least September 3. While in the victim's network, the crew also gained access to two domain controllers and an Active Directory Federation Services server, which they used to steal cryptographic keys."
China-linked actors used the Brickstorm backdoor to maintain prolonged, persistent access to critical networks and IT organizations. CISA, the NSA, and the Canadian Cyber Security Centre issued a joint alert after discovering infections in at least eight government and IT organizations, with additional victims likely. Brickstorm operates across Linux, VMware, and Windows environments and enabled long-term presence, data theft, and compromise of identity infrastructure. In a tracked incident, operators uploaded Brickstorm to an internal VMware vCenter server, retained access for months, and accessed domain controllers and an ADFS server to steal cryptographic keys.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]