CP
cyberpings
Malware & RansomwareHIGH

vSphere and BRICKSTORM Malware - A Defender's Guide

Featured image for vSphere and BRICKSTORM Malware - A Defender's Guide
MAMandiant Threat Intel
Summary by CyberPings EditorialΒ·AI-assistedΒ·Reviewed by Rohit Rana
Ingested:
🎯

Basically, BRICKSTORM malware targets virtual servers, and organizations need to strengthen their defenses.

Quick Summary

BRICKSTORM malware is targeting VMware vSphere environments, threatening critical organizational assets. Companies must adopt hardening strategies to protect against these evolving threats. Understanding the risks is crucial for maintaining security.

What Happened

Recent research from the Google Threat Intelligence Group (GTIG) reveals the emergence of BRICKSTORM malware, which specifically targets the VMware vSphere ecosystem. This malware compromises the vCenter Server Appliance (VCSA) and ESXi hypervisors, posing significant risks to virtualized environments. The attackers exploit weak security architectures rather than relying on vulnerabilities in the software itself.

Who's Affected

Organizations that utilize VMware vSphere for managing their virtual environments are at risk. This includes businesses that host critical workloads, such as domain controllers and privileged access management solutions, on the vCenter platform. The impact of a breach can lead to administrative control over all managed ESXi hosts and virtual machines.

What Data Was Exposed

If compromised, attackers can gain access to sensitive data stored in virtual machines, bypassing traditional security measures. They can manipulate virtual machines, reset root credentials, and exfiltrate critical information without detection. The VCSA's role as a central control point makes it particularly vulnerable.

What You Should Do

To protect against BRICKSTORM, organizations should adopt a proactive defense strategy. This includes:

  • Technical Hardening: Implement measures like enabling Secure Boot, firewalls for management interfaces, and disabling shell access to reduce the attack surface.
  • High-Fidelity Signal Analysis: Focus on behavioral patterns rather than relying solely on blocklists of known malicious IPs.
  • Regular Updates: Upgrade from vSphere 7, which reached End of Life in October 2025, to ensure critical security patches are applied.

The Threat

BRICKSTORM malware operates beneath the guest operating system, taking advantage of visibility gaps where traditional security measures are ineffective. This persistence allows attackers to maintain control over the environment for extended periods.

Who's Behind It

While specific threat actors are not identified, the tactics used suggest a sophisticated understanding of virtual environments and their security weaknesses. The malware exploits misconfigurations and weak identity management practices.

Tactics & Techniques

Attackers often leverage the following techniques:

  • Centralized Command: Gaining control over all virtual machines through the VCSA.
  • Data Access: Accessing underlying storage directly, bypassing usual security protocols.
  • Command-Line Gaps: Operating without logging, making detection difficult.

Defensive Measures

Organizations should focus on hardening their vSphere environments by:

  • Implementing Multi-Factor Authentication (MFA) to secure access.
  • Establishing strict role-based access controls to limit permissions.
  • Utilizing encryption for sensitive virtual machines to prevent unauthorized access.

By proactively addressing these vulnerabilities and implementing robust security measures, organizations can significantly reduce their risk of falling victim to BRICKSTORM and similar threats.

πŸ”’ Pro insight: The BRICKSTORM campaign highlights the urgent need for enhanced security protocols in virtualized environments to mitigate persistent threats.

Original article from

MAMandiant Threat Intel
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware Newsletter Round 91 - Latest Threats and Insights

The latest malware newsletter reveals new threats like Infiniti Stealer and npm supply chain attacks. Developers and organizations must stay alert to evolving risks in cybersecurity.

Security AffairsΒ·
HIGHMalware & Ransomware

Malicious Email Delivers CMD Malware - Privilege Escalation Alert

A malicious email has delivered a .cmd malware file that escalates privileges and bypasses antivirus systems. Users are at risk of significant system compromise. Awareness and immediate action are vital to mitigate this threat.

Security AffairsΒ·
HIGHMalware & Ransomware

Axios NPM Package Compromised - Supply Chain Attack Exposed

A major supply chain attack compromised the Axios NPM package, affecting millions of users. Malicious versions deployed a RAT, posing serious security risks. Swift action was taken to remove the threats.

Trend Micro ResearchΒ·
HIGHMalware & Ransomware

Brokk Hacked - Play Ransomware Exposes Sensitive Data

Brokk has reportedly been hacked by Play ransomware, leading to the leak of sensitive corporate data. This incident could severely impact the company's reputation and security. Organizations must bolster their defenses to prevent similar breaches.

SC MediaΒ·
HIGHMalware & Ransomware

Chaos Malware - New Targeting of 64-bit Linux Servers

Chaos malware has evolved to target 64-bit Linux servers, expanding its attack surface. This shift raises alarms for organizations relying on these systems. Enhanced security measures are now crucial to protect against potential larger-scale attacks.

SC MediaΒ·
HIGHMalware & Ransomware

Phorpiex Botnet - Spreading Ransomware and Sextortion Tactics

The notorious Phorpiex botnet is back, spreading ransomware and sextortion schemes. Millions are at risk as it targets users globally. Stay alert and protect your devices from this evolving threat.

Cyber Security NewsΒ·