"the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs."
"What's especially alarming about this campaign is that it targets the virtualization layer itself, not the OS or applications, which historically receives less attention. Once the hypervisor or management console (vCenter) is compromised, attackers gain broad visibility over the virtual infrastructure and can bypass many traditional endpoint defenses (like EDR), because these often don't monitor hypervisor behavior or VM snapshot manipulation,"
"For defenders, the implications are stark: if you run VMware vSphere or ESXi, particularly with vCenter exposed internally or weakly segmented, you are directly in scope. This means organizations must treat virtualization infrastructure as a critical attack surface with the same urgency as public‑facing apps or legacy enterprise systems."
CISA, the NSA, and the Canadian Centre for Cyber Security attribute BRICKSTORM use to PRC‑linked state-sponsored cyber actors who deploy the backdoor for long-term persistence across VMware vSphere (vCenter and ESXi) and Windows environments. After compromise, actors can access the vCenter management console to steal cloned virtual machine snapshots for credential extraction and create hidden rogue VMs. The campaign targets the virtualization layer rather than guest OS or applications, allowing attackers to bypass many endpoint defenses that do not monitor hypervisor behavior or snapshot manipulation. Organizations with vCenter exposed or weakly segmented face elevated risk; one compromise persisted from April 2024 to September 2025.
Read at Securitymagazine
Unable to calculate read time
Collection
[
|
...
]