What's Happening?
Chinese state-sponsored threat actors have been identified as backdooring VMware vCenter and VMware ESXi servers using a malware program known as BRICKSTORM. This malware, written in Go, allows these actors to maintain long-term persistence within victim
networks. According to a joint report by the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security, the primary targets have been organizations within the government services, facilities, and IT sectors. The malware was first reported by researchers from Mandiant and Google’s Threat Intelligence Group in September, with findings indicating that the backdoor remained undetected for an average of 369 days. CISA has analyzed multiple samples of BRICKSTORM, including one from a VMware vCenter server where the infection went undetected for over a year and a half, allowing attackers to move laterally through the network.
Why It's Important?
The infiltration of critical infrastructure and government networks by Chinese state-sponsored actors poses significant risks to national security and the integrity of sensitive data. The ability of BRICKSTORM to remain undetected for extended periods highlights the sophistication of these cyber threats and the challenges in defending against them. This situation underscores the importance of robust cybersecurity measures and international cooperation in addressing state-sponsored cyber espionage. The potential for these actors to establish pivot points for broader access could lead to further exploitation and sabotage, affecting not only the targeted organizations but also the broader economic and political landscape.
What's Next?
In response to these threats, organizations are likely to enhance their cybersecurity protocols and invest in advanced threat detection technologies. Government agencies may increase collaboration with international partners to share intelligence and develop strategies to counteract such cyber threats. Additionally, there may be increased scrutiny and regulation of software and hardware used in critical infrastructure to prevent similar vulnerabilities from being exploited in the future.
