"It's assessed that the objective of BRICKSTORM targeting SaaS providers is to gain access to downstream customer environments or the data SaaS providers host on their customers' behalf, while the targeting of the U.S. legal and technological spheres is likely an attempt to gather information related to national security and international trade, as well as steal intellectual property to advance the development of zero-day exploits."
"Companies in the legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. have been targeted by a suspected China-nexus cyber espionage group to deliver a known backdoor referred to as BRICKSTORM. The activity, attributed to UNC5221 and closely related, suspected China-nexus threat clusters, is designed to facilitate persistent access to victim organizations for over a year, Mandiant and Google Threat Intelligence Group (GTIG) said in a new report shared with The Hacker News."
UNC5221 and closely related suspected China-nexus clusters deployed the BRICKSTORM backdoor against U.S. legal services, SaaS providers, BPOs, and technology firms to gain persistent access, in some cases for over a year. BRICKSTORM targeting of SaaS providers seeks access to downstream customer environments and customer-hosted data. Targeting of legal and technology sectors aims to collect national-security and international-trade information and to exfiltrate intellectual property to support zero-day exploit development. BRICKSTORM is a Go-based backdoor capable of acting as a web server, manipulating files and directories, uploading and downloading files, executing shell commands, and operating as a SOCKS relay over WebSocket C2. The backdoor was linked to Ivanti Connect Secure zero-day exploits and has been used against Windows environments in Europe since at least November 2022, while cluster overlaps with other China-aligned groups remain under analysis.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]