Código HTML do Conteúdo
Post: They slept on networks for 393 days! Chinese state hackers and the BRICKSTORM backdoor - Against Invaders - Notícias de CyberSecurity para humanos.
<div>
<div data-element_type="widget" data-id="914a4f5" data-widget_type="shortcode.default">
<div>
<div>
<p><span><b><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Redazione RHC</a>:25 September 2025 14:29</b></span></p>
<p>According to <strong>Google Threat Intelligence</strong> , the China-linked espionage group <strong>UNC5221</strong> has carried out a <em>series of successful intrusions into corporate networks since March of this year,</em> exploiting previously unknown vulnerabilities in Ivanti products.</p>
<p>The attacks involved the introduction of backdoors that allowed attackers to maintain access to victims’ infrastructure <strong>for an average of 393 days.</strong></p>
<p><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign" target="_blank">Experts have attributed</a> the actions to the UNC5221 group and other related Chinese cyberespionage groups. According to the report <em>, UNC5221 began actively exploiting vulnerabilities in Ivanti devices as early as 2023.</em> Google emphasizes that this group <em>is not associated with Silk Typhoon (formerly Hafnium),</em> suspected of hacking the U.S. Treasury Department in December.</p>
<p>This is a financially motivated (FIN) or state-sponsored APT group, although the origin of UNC5221 clearly indicates state support. Since spring 2025, <em>Mandiant experts have responded to incidents related to this group across a wide range of industries, from law firms to SaaS providers and corporate outsourcing companies.</em> In most cases, the attackers <strong>used a specially developed backdoor, BRICKSTORM,</strong> implanted in devices that do not support traditional detection methods (EDR).</p>
<p>This allowed the attackers to slip through unnoticed: organizations’ security systems simply didn’t detect the malicious activity. To help identify infections, Google <a href="https://github.com/mandiant/brickstorm-scanner" target="_blank">released</a> <em>a free scanning tool that doesn’t require YARA installation and is suitable for Linux and BSD-based systems</em> .</p>
<p>It looks for signatures and unique patterns in the code that are characteristic of BRICKSTORM. <em>Mandiant representatives emphasize that the number of infections could become significant once organizations begin mass scanning their devices:</em> the effects of this campaign are expected to be evident over the next one to two years.</p>
<p>In at least one case, state-run hackers gained access to <strong>Ivanti Connect Secure via a zero-day vulnerability.</strong> While Google did not specify the specific vulnerability, researchers had previously linked <em>UNC5221 to the active exploitation of <a href="https://www.redhotcyber.com/servizi/cve/?cve_id=CVE-2023-46805" target="_new _blank">CVE-2023-46805</a> and <a href="https://www.redhotcyber.com/servizi/cve/?cve_id=CVE-2024-21887" target="_new _blank">CVE-2024-21887</a>, both of which were only publicly disclosed in January 2024.</em></p>
<p>After penetrating the network, the attackers installed BRICKSTORM, a malware written in Go and equipped with proxy functionality (SOCKS). Although a Windows version <a href="https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf" target="_blank">is mentioned</a> , Mandiant experts have not observed it directly; evidence of this modification is indirect. <em>Indeed, the malware has been detected on Linux and BSD devices, including network devices from various manufacturers.</em></p>
<p>UNC5221 <strong>regularly attacks VMware vCenter servers and ESXi hosts,</strong> often starting on edge devices and then using stolen credentials to penetrate deeper into the network. In one attack, BRICKSTORM was introduced into vCenter after the incident investigation began, <strong>demonstrating the adversary’s ability to adapt in real time and monitor defenders’ actions</strong> . The malware was also modified, using <a href="https://github.com/burrowers/garble" target="_blank">Garble</a> obfuscation tools, custom wssoft libraries, and, in one case <strong>, a timer to delay activity until a specific date.</strong></p>
<p>Additionally, in several cases, the attackers used additional malware: <strong>BRICKSTEAL</strong> , a <em>malicious Java Servlet filter for Apache Tomcat</em> that runs within the vCenter web interface. It intercepts HTTP Basic Auth headers, extracting login and password data, including domain credentials if the organization uses Active Directory. Installing a filter typically requires configuration changes and a server reboot, but <em>in this case, the attackers used a special dropper that injected code into memory without rebooting the server, further improving stealth.</em></p>
<p>As part of the attacks, the attackers <em>also gained access to the email accounts of key employees: developers, system administrators, and other specialists whose activities could be of interest to Chinese economic or intelligence interests.</em> To do so, they exploited Microsoft’s Entra ID corporate applications with mail.read or full_access_as_app privileges, allowing access to any email within the organization.</p>
<div>
<div>
<div>
<div>
<p><b><span>Redazione</span></b><br /><span>The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.</span></p>
<p><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Lista degli articoli</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div>