Chinese Cyberspies Target VMware vSphere with Advanced Malware

Persistent Threat: Chinese Cyberspies Exploit VMware Vulnerabilities

Chinese state-sponsored threat actors are actively backdooring VMware vCenter and VMware ESXi servers using a bespoke malware program, known as BRICKSTORM. This sophisticated Go-based malware allows attackers to establish and maintain long-term persistence within targeted victim networks. Government services, facilities, and information technology sectors have been the primary targets for these illicit operations.

A recent joint report from the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Canadian Centre for Cyber Security has shed light on this evolving threat. These agencies highlight the critical need for organizations to bolster their defenses against such persistent and stealthy attacks. The report underscores the capabilities of these advanced persistent threat groups.

Security researchers from Mandiant and Google’s Threat Intelligence Group first identified BRICKSTORM in September. At that time, Google reported that this particular backdoor remained undetected for an average of 369 days. It was discovered within the networks of various U.S. entities, including legal services firms, SaaS providers, business process outsourcers, and technology companies, indicating a broad targeting strategy.

CISA has independently analyzed eight distinct samples of BRICKSTORM, including one retrieved from a VMware vCenter server where the infection had persisted for over 18 months. This extended presence allowed the attackers to move laterally across the compromised network without detection. Such prolonged access highlights the malware’s effectiveness and the stealthy nature of its deployment.

Deconstructing the Attack Chain: From Web Shell to Domain Control

The incident investigated by CISA revealed a typical attack methodology beginning with the compromise of a public-facing web server. The initial breach method remains unspecified, but it set the stage for subsequent malicious activities. Following the initial compromise, the attackers deployed a web shell, which functions as a remote access backdoor.

This web shell allowed the threat actors to remotely execute commands on the server, providing them with initial control. From the compromised web server, the attackers were able to extract credentials associated with a service account. These stolen credentials were then leveraged to gain access to a domain controller.

Once inside the domain controller, the attackers copied the Active Directory database, a critical repository of network credentials and user information. They subsequently used credentials from a second service account to access another domain controller within the internal network. This enabled them to copy another segment of the Active Directory database, which contained credentials belonging to a managed service provider (MSP).

Utilizing the compromised MSP credentials, the threat actors successfully accessed a VMware vCenter server. This pivotal step allowed them to deploy the BRICKSTORM malware. The malware was placed in the /etc/sysconfig/ directory, cementing their long-term presence within the highly critical virtualization infrastructure.

BRICKSTORM’s Architecture: Designed for Virtualized Environments

Analysts from CISA, NSA, and the Canadian Cyber Center have noted that specific BRICKSTORM samples exhibit virtualization-aware capabilities. These specialized features allow the malware to adapt and operate effectively within virtualized settings. One notable capability is the creation of a virtual socket (VSOCK) interface.

This VSOCK interface is crucial for enabling inter-VM communication, allowing data to be exchanged directly between virtual machines. It also facilitates data exfiltration, making it easier for attackers to extract sensitive information from the compromised environment. The malware’s design demonstrates a deep understanding of virtualized infrastructure.

BRICKSTORM also incorporates self-monitoring mechanisms to ensure its persistence. Upon execution, it checks the environment to confirm it is running as a child process and from a specific, expected path. If the malware detects any deviation or an issue, it can reinstall and re-execute itself, maintaining its foothold despite attempts at remediation.

For its command-and-control (C2) communication, the malware cleverly mimics web server functionality. This tactic allows BRICKSTORM to blend in with legitimate network traffic, making it significantly harder for security systems to detect its malicious activity. This camouflage is a key factor in its ability to remain undetected for extended periods.

Furthermore, BRICKSTORM provides a SOCKS5 proxy, a valuable tool for attackers to tunnel traffic during lateral movement operations. This proxy helps them route their malicious traffic through the compromised host, making it appear as legitimate internal communication. This feature enhances their ability to explore and exploit other systems within the network.

In terms of functionality, BRICKSTORM offers threat actors comprehensive control over the compromised system. It allows them to browse the file system, execute arbitrary shell commands, and manage network connections. This level of control grants attackers the ability to perform a wide range of malicious actions.

CISA analysts elaborated on the malware’s operational specifics. They explained that once a secure connection to the C2 domain is established, Sample 1 of BRICKSTORM utilizes a custom Go package named wssoft2 to manage incoming network connections and process received commands. These commands are then directed to one of three specialized handlers: the SOCKS Handler, the Web Service Handler, or the Command Handler, each responsible for specific functions.

Strengthening Defenses: Key Mitigations Against BRICKSTORM

The joint advisory provides crucial indicators of compromise (IoCs) for the analyzed BRICKSTORM samples, along with YARA and Sigma detection rules. These resources are invaluable for organizations seeking to detect and respond to potential infections. Additionally, the agencies have issued a comprehensive set of recommendations to help organizations harden their defenses.

Organizations should prioritize upgrading their VMware vSphere servers to the latest available versions. Keeping software updated is a fundamental security practice that addresses known vulnerabilities and patch exploits. Applying VMware’s official guidance for hardening vSphere environments is also critical to minimize attack surfaces.

Taking a detailed inventory of all network edge devices is essential, coupled with rigorous monitoring for any suspicious network connectivity originating from these devices. Edge devices are often entry points for attackers, and their compromise can quickly lead to internal network breaches. Proactive monitoring can help identify and neutralize threats early.

Ensuring proper network segmentation is another vital defense mechanism. This involves configuring network traffic rules to strictly restrict traffic flow from the DMZ (demilitarized zone) to the internal network. This separation prevents attackers who compromise public-facing assets from easily accessing sensitive internal resources.

Disabling Remote Desktop Protocol (RDP) and Server Message Block (SMB) from the DMZ to the internal network is highly recommended. These protocols are frequently abused by attackers for lateral movement and should not be accessible from less secure network segments. Restricting their use significantly reduces the risk of exploitation.

Implementing the principle of least privilege is paramount. This means restricting service accounts to only the permissions absolutely necessary for their intended functions. Overly privileged service accounts are prime targets for attackers, as their compromise can grant extensive access to critical systems and data.

Increasing monitoring for service accounts is also crucial, particularly because these accounts often have elevated privileges and predictable behavior patterns. For instance, if a service account typically runs scans at a specific hour, any activity outside this pattern should trigger immediate alerts and investigation. Unusual activity may indicate compromise.

Finally, blocking unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic can significantly reduce unmonitored communications. DoH can encrypt DNS queries, making it harder for network security tools to inspect and block malicious DNS requests. Controlling DoH usage helps maintain visibility over network traffic and prevent data exfiltration.