Chinese state-sponsored threat actors are backdooring VMware vCenter and VMware ESXi servers with a malware program written in Go, allowing them to maintain long-term persistence in victim networks. According to a joint report by the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) organizations from the government services and facilities and IT sectors have been the primary targets.
The malware program, known in the security industry as BRICKSTORM, was first reported by researchers from Mandiant and Google’s Threat Intelligence Group in September. At the time, Google said the backdoor remained undetected for 369 days on average and was found inside the networks of US legal services firms, SaaS providers, business process outsourcers, and technology companies.
For its part, CISA has thus far analyzed eight separate BRICKSTORM samples, including one collected from a VMware vCenter server of an organization where the infection went undetected for over a year and a half allowing attackers to move laterally through the network.
From web shell to domain control
In the incident investigated by CISA, the attackers originally compromised a public-facing web server, though it’s unclear through what method. This was followed up by the deployment of a web shell — essentially a web script that serves as a backdoor to enable the attackers to remotely execute commands on the server.
From the web server, the attackers were able to extract credentials for a service account and used it to access a domain controller from where they copied the Active Directory database. Credentials for a second service account were used to access another domain controller on the internal network and copy the AD database, which included credentials used by a managed service provider (MSP).
Using the MSP credentials, the attackers were able to access a VMware vCenter server and deployed the BRICKSTORM malware in the /etc/sysconfig/ directory.
Designed to work in virtualized environments
The CISA, NSA, and Canadian Cyber Center analysts note that some of the BRICKSTORM samples are virtualization-aware and they create a virtual socket (VSOCK) interface that enables inter-VM communication and data exfiltration.
The malware also checks the environment upon execution to ensure it’s running as a child process and from a specific path. This is part of a set of self-monitoring capabilities that ensure its persistence by reinstalling and executing itself if it detects something is not running correctly.
The malware mimics web server functionality for its command-and-control (C2) communication to blend in with legitimate traffic. It also provides a SOCKS5 proxy for attackers to tunnel traffic during lateral movement operations.
In terms of features, BRICKSTORM allows threat actors to browse the file system and execute shell commands, providing them with complete control over the compromised system.
“Once the secure connection to the C2 domain is established, Sample 1 uses a custom Go package wssoft2 to manage incoming network connections and to process commands it receives,” the CISA analysts said. “Commands are directed to one of three handlers based on the function it needs: SOCKS Handler, Web Service Handler, and Command Handler.”
Mitigations
The joint advisory includes indicators of compromise for the analyzed samples as well as YARA and Sigma detection rules. The agencies also make the following recommendations:
- Upgrade VMware vSphere servers to the latest version.
- Harden your VMware vSphere environments by applying VMware’s guidance.
- Take inventory of all network edge devices and monitor for any suspicious network connectivity originating from these devices.
- Ensure proper network segmentation restricts network traffic from the DMZ to the internal network.
- Disable RDP and SMB from the DMZ to the internal network.
- Apply the principle of least privilege and restrict service accounts to only needed permissions.
- Increase monitoring for service accounts, which are highly privileged and have a predictable pattern of behavior (e.g., scans that reliably run at a certain hour of the day).
- Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic to reduce unmonitored communications.