This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Val_
Admin
Admin
yesterday

BRICKSTORM: A Stealthy Espionage Campaign Targeting Enterprise Infrastructure (sk184082)

Over the past year, Google Cloud researchers uncovered an advanced espionage campaign they named BRICKSTORM, attributed to the suspected China-nexus group UNC5221. The campaign showcases the continued trend of state-aligned actors exploiting enterprise infrastructure to establish long-term access and stealthy command-and-control.

Key Findings

  • Targeted Victims: U.S. law firms, SaaS providers, business process outsourcing (BPO) firms, and technology companies.
  • Focus on Appliances and Infrastructure: Attackers deployed malware on Linux/BSD appliances and VMware vCenter/ESXi systems - environments that often lack endpoint security visibility.
  • Dwell Time: On average, attackers remained undetected for over a year (393 days), underscoring both the stealth of the tools and the challenges defenders face in monitoring these platforms.
  • Custom Malware – BRICKSTORM Backdoor:
    • Written in Go and obfuscated with Garble.
    • Supports SOCKS proxying for lateral movement and persistence.
    • Utilizes a custom library (wssoft) to evade detection.
    • Employs legitimate services for C2, including Cloudflare Workers, Heroku, and sslip.io.
  • Evolution of Techniques:
    • Introduction of variants with delayed beaconing to blend into normal network activity.
    • Deployment of “BRICKSTEAL” - an in-memory Java Servlet filter running on vCenter that harvested Active Directory credentials.

Check Point customers are safeguarded through multiple layers of defense

  • Check Point's Intrusion Prevention System, embedded in Quantum gateways, was added with new protections targeting this campaign. These protections are automatically downloaded to Quantum gateways, protecting our customers.
  • Check Point's Threat Emulation engine* - utilized by Quantum gateways, Harmony Endpoint, Harmony Email & Collaboration, and Harmony SASE - has been updated with new protections targeting this campaign. In addition, the Anti-Bot engine**, available on Quantum gateways and Harmony Endpoint, includes new protections against BRICKSTORM command-and-control traffic.

For more information and the protection details, please read sk184082

0 Kudos
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events