https://community.checkpoint.com/t5/General-Topics/BRICKSTORM-A-Stealthy-Espionage-Campaign-Targeting-Enterprise/m-p/258292#M43591 <P>Over the past year, Google Cloud researchers uncovered an advanced espionage campaign they named<SPAN>&nbsp;</SPAN><STRONG>BRICKSTORM</STRONG>, attributed to the suspected China-nexus group<SPAN>&nbsp;</SPAN><STRONG>UNC5221</STRONG>. The campaign showcases the continued trend of state-aligned actors exploiting enterprise infrastructure to establish long-term access and stealthy command-and-control.</P> <H2>Key Findings</H2> <UL> <LI><STRONG>Targeted Victims:</STRONG><SPAN>&nbsp;</SPAN>U.S. law firms, SaaS providers, business process outsourcing (BPO) firms, and technology companies.</LI> <LI><STRONG>Focus on Appliances and Infrastructure:</STRONG><SPAN>&nbsp;</SPAN>Attackers deployed malware on<SPAN>&nbsp;</SPAN><SPAN class="mono">Linux/BSD</SPAN><SPAN>&nbsp;</SPAN>appliances and VMware vCenter/ESXi systems - environments that often lack endpoint security visibility.</LI> <LI><STRONG>Dwell Time:</STRONG><SPAN>&nbsp;</SPAN>On average, attackers remained undetected for over a year (393 days), underscoring both the stealth of the tools and the challenges defenders face in monitoring these platforms.</LI> <LI><STRONG>Custom Malware – BRICKSTORM Backdoor:</STRONG> <UL> <LI>Written in Go and obfuscated with Garble.</LI> <LI>Supports SOCKS proxying for lateral movement and persistence.</LI> <LI>Utilizes a custom library (<SPAN class="mono">wssoft</SPAN>) to evade detection.</LI> <LI>Employs legitimate services for C2, including Cloudflare Workers, Heroku, and sslip.io.</LI> </UL> </LI> <LI><STRONG>Evolution of Techniques:</STRONG> <UL> <LI>Introduction of variants with delayed beaconing to blend into normal network activity.</LI> <LI>Deployment of “BRICKSTEAL” - an in-memory Java Servlet filter running on vCenter that harvested Active Directory credentials.</LI> </UL> </LI> </UL> <H2>Check Point customers are safeguarded through multiple layers of defense</H2> <UL> <LI>Check Point's Intrusion Prevention System, embedded in Quantum gateways, was added with new protections targeting this campaign. These protections are automatically downloaded to Quantum gateways, protecting our customers.</LI> <LI>Check Point's Threat Emulation engine* - utilized by Quantum gateways, Harmony Endpoint, Harmony Email &amp; Collaboration, and Harmony SASE - has been updated with new protections targeting this campaign. In addition, the Anti-Bot engine**, available on Quantum gateways and Harmony Endpoint, includes new protections against BRICKSTORM command-and-control traffic.</LI> </UL> <P>For more information and the protection details, <A href="https://support.checkpoint.com/results/sk/sk184082" target="_self">please read&nbsp;sk184082</A></P> Fri, 26 Sep 2025 09:33:06 GMT _Val_ 2025-09-26T09:33:06Z https://community.checkpoint.com/t5/General-Topics/BRICKSTORM-A-Stealthy-Espionage-Campaign-Targeting-Enterprise/m-p/258292#M43591 <P>Over the past year, Google Cloud researchers uncovered an advanced espionage campaign they named<SPAN>&nbsp;</SPAN><STRONG>BRICKSTORM</STRONG>, attributed to the suspected China-nexus group<SPAN>&nbsp;</SPAN><STRONG>UNC5221</STRONG>. The campaign showcases the continued trend of state-aligned actors exploiting enterprise infrastructure to establish long-term access and stealthy command-and-control.</P> <H2>Key Findings</H2> <UL> <LI><STRONG>Targeted Victims:</STRONG><SPAN>&nbsp;</SPAN>U.S. law firms, SaaS providers, business process outsourcing (BPO) firms, and technology companies.</LI> <LI><STRONG>Focus on Appliances and Infrastructure:</STRONG><SPAN>&nbsp;</SPAN>Attackers deployed malware on<SPAN>&nbsp;</SPAN><SPAN class="mono">Linux/BSD</SPAN><SPAN>&nbsp;</SPAN>appliances and VMware vCenter/ESXi systems - environments that often lack endpoint security visibility.</LI> <LI><STRONG>Dwell Time:</STRONG><SPAN>&nbsp;</SPAN>On average, attackers remained undetected for over a year (393 days), underscoring both the stealth of the tools and the challenges defenders face in monitoring these platforms.</LI> <LI><STRONG>Custom Malware – BRICKSTORM Backdoor:</STRONG> <UL> <LI>Written in Go and obfuscated with Garble.</LI> <LI>Supports SOCKS proxying for lateral movement and persistence.</LI> <LI>Utilizes a custom library (<SPAN class="mono">wssoft</SPAN>) to evade detection.</LI> <LI>Employs legitimate services for C2, including Cloudflare Workers, Heroku, and sslip.io.</LI> </UL> </LI> <LI><STRONG>Evolution of Techniques:</STRONG> <UL> <LI>Introduction of variants with delayed beaconing to blend into normal network activity.</LI> <LI>Deployment of “BRICKSTEAL” - an in-memory Java Servlet filter running on vCenter that harvested Active Directory credentials.</LI> </UL> </LI> </UL> <H2>Check Point customers are safeguarded through multiple layers of defense</H2> <UL> <LI>Check Point's Intrusion Prevention System, embedded in Quantum gateways, was added with new protections targeting this campaign. These protections are automatically downloaded to Quantum gateways, protecting our customers.</LI> <LI>Check Point's Threat Emulation engine* - utilized by Quantum gateways, Harmony Endpoint, Harmony Email &amp; Collaboration, and Harmony SASE - has been updated with new protections targeting this campaign. In addition, the Anti-Bot engine**, available on Quantum gateways and Harmony Endpoint, includes new protections against BRICKSTORM command-and-control traffic.</LI> </UL> <P>For more information and the protection details, <A href="https://support.checkpoint.com/results/sk/sk184082" target="_self">please read&nbsp;sk184082</A></P> Fri, 26 Sep 2025 09:33:06 GMT https://community.checkpoint.com/t5/General-Topics/BRICKSTORM-A-Stealthy-Espionage-Campaign-Targeting-Enterprise/m-p/258292#M43591 _Val_ 2025-09-26T09:33:06Z