US cyber agency CISA warns of a new threat. Chinese hackers are using the Brickstorm malware to backdoor VMware vSphere servers, creating hidden virtual machines and stealing sensitive data. The attackers use multiple layers of encryption and a self-monitoring function to maintain persistence.
CISA investigated an incident in April 2024 and found that the hackers compromised a web server, moved laterally to internal systems, and deployed malware. They also captured Active Directory database information and performed system backups to steal legitimate credentials and sensitive data.
To detect this threat, CISA advises defenders to scan for Brickstorm backdoor activity using agency-created YARA and Sigma rules, block unauthorized DNS-over-HTTPS providers, and monitor suspicious activity on network edge devices. The joint advisory urges organizations to report any detected activity as required by law and applicable policies.
Cybersecurity firm CrowdStrike linked the attacks to a Chinese hacking group called Warp Panda, which also deploys previously unknown malware implants in VMware ESXi environments.
Source: https://www.bleepingcomputer.com/news/security/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers