1. Forum
  2. FidoNet
  3. CONSPRCY

  • Brickstorm was stealing d

    From Mike Powell@1:2320/105 to All on Fri Sep 26 10:07:04 2025
    Under the radar - Google warns new Brickstorm malware was stealing data from
    US firms for over a year

    Date:
    Thu, 25 Sep 2025 17:05:00 +0000

    Description:
    Chinese state-sponsored actors are at it again targeting legal, SaaS, and government agencies.

    FULL STORY

    US organizations across the legal, technology, SaaS, and business process outsourcing sectors were targeted by a new malware variant named Brickstorm
    for over a year, leading to major data loss, experts have warned.

    Googles Threat Intelligence Group (GTIG) found the threat actors behind the campaign are UNC5221, a suspected China-nexus threat known for stealthy operations and long-term persistence.

    This group first targeted zero-day vulnerabilities in Linux devices and BSD-based appliances, since these are often overlooked in asset inventories
    and excluded from central logging. As such, they make for an ideal foothold
    for the attackers.

    Cyber-espionage

    Once inside, UNC5221 used Brickstorm to move laterally, harvest credentials, and exfiltrate data with minimal telemetry. In some cases, the malware
    remained undetected for more than a year, since the average dwell time was
    said to be a mighty 393 days.

    In many cases, they would pivot from fringe devices to VMware vCenter and
    ESXi hosts, using stolen credentials to deploy Brickstorm and escalate privileges.

    To maintain persistence, they modified startup scripts and deployed webshells that allowed for remote command execution. They cloned sensitive virtual machines without even powering them on, and thus avoiding triggering security tools.

    The campaigns objectives appear to span geopolitical espionage, intellectual property theft, and access operations.

    Since legal companies were targeted as well, the researchers suspected
    UNC5221 was interested in US national security, and trade topics, while targeting SaaS providers could have been used to pivot into downstream
    customer environments.

    To counter Brickstorm, Mandiant recommends a threat-hunting approach based on tactics, techniques, and procedures (TTPs) rather than atomic indicators,
    which have proven unreliable due to the actors operational discipline.

    The researchers urged businesses to update asset inventories, monitor
    appliance traffic, and enforce multi-factor authentication .

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/under-the-radar-google-warns-new-bricks torm-malware-was-stealing-data-from-us-firms-for-over-a-year

    $$
    --- SBBSecho 3.28-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)