Chinese State-Backed Hackers Exploit New BRICKSTORM Backdoor
Chinese state-backed hackers have been exploiting a new backdoor, dubbed BRICKSTORM, to infiltrate organizations with sensitive data. The campaign, attributed to the UNC5221 threat actor, has been targeting manufacturers and service providers, with a particular focus on U.S. law firms.
The hackers, part of the Chinese cyber threat group UNC5221, have been using BRICKSTORM to gain access to critical systems and data. They've been targeting developers, system administrators, and individuals of interest to the People's Republic of China within these organizations. One known incident involved exploiting a zero-day vulnerability in an Ivanti Connect Secure edge device.
BRICKSTORM is primarily designed for Linux appliances, with a variant for Windows devices, although the latter has not been observed in use. The backdoor has been found on various appliance types, including VMware vCenter and ESXi hosts, which the hackers use for lateral movement within networks. The campaign is not linked to previously identified Chinese state groups like Silk Typhoon and Volt Typhoon, according to cybersecurity firm Mandiant.
The BRICKSTORM campaign highlights the ongoing threat posed by state-backed hackers to organizations holding sensitive data. With a focus on U.S. law firms and their involvement in U.S. national security and international trade, the implications are significant. Organizations are urged to bolster their cybersecurity measures, particularly on appliances lacking traditional endpoint detection and response agents.
Read also:
- Belarus Launches First Accredited Cybersecurity Center
- UK Convicts Chinese Crypto Fraudster, Seizes $7.39B in Bitcoin
- Bridge the IT-Security Divide with Qualys VMDR for ITSM: A New Application to Streamline Your IT and Security Operations
- Italy passes AI legislation addressing privacy concerns, supervision, and kid-safe access
