Particle.news
Download on the App Store
10 ARTICLES
·
2w ago

Google and Mandiant Expose BRICKSTORM Espionage With Yearlong Persistence in U.S. Firms

Operators exploit appliances without EDR coverage, prompting investigators to call for TTP-based hunts.

© CARL DE SOUZA/AFP via Getty Images
Image
China-Linked Hackers Hit US Tech Firms with BRICKSTORM Malware
Image

Overview

  • Researchers link the intrusions to UNC5221 and related China-nexus clusters, noting the attribution as an assessment rather than a definitive finding.
  • Average dwell time is roughly 393–400 days before detection, with operators deleting samples and rotating command-and-control to frustrate forensics and IOCs.
  • Primary victims include legal services, technology companies, SaaS providers and BPOs, with access leveraged to reach downstream customers and hosted data.
  • Tradecraft features deployment on Linux and BSD appliances, consistent targeting of VMware vCenter and ESXi, a BRICKSTEAL servlet filter for credential capture, VM cloning, SOCKS relays and persistence via startup scripts.
  • At least one case involved initial access through an Ivanti Connect Secure zero-day, and Mandiant released a Unix-compatible scanner with hunting guidance as experts warn many more compromises will be uncovered over the next one to two years.