UNC5221, a sophisticated cyber threat group known for other malware creation, is responsible for dissemination of the BRICKSTORM backdoor. This destructive weapon is storming into every sector nationwide, but it’s especially targeted in legal services and technology. This new campaign takes advantage of zero-day vulnerabilities in Ivanti Connect Secure. It directly addresses CVE-2023-46805 and CVE-2024-21887 to achieve persistent access to victim organizations. The advanced persistent threat actors have gone after the leadership of these organizations to get at sensitive communications and data.
This is the first time Google publicly recorded BRICKSTORM last year. Since then, it’s been associated with a number of attacks against Linux and BSD-based appliances as well as attacks against Windows environments across Europe. This campaign has been active for more than a year, allowing for quiet and sustained infiltration of its targets. Recent reporting from Mandiant and the Google Threat Intelligence Group (GTIG) shows just how urgent and sophisticated this threat is.
Overview of BRICKSTORM’s Capabilities
The BRICKSTORM backdoor marks a significant new development in cyber espionage tradecraft. The secretive nature of the system science fosters a dangerous pipeline into target entities. It does this by leveraging backdoors installed on devices that typically cannot leverage endpoint detection and response (EDR) tools commonly used today. This tactic is what makes it possible for today’s threat actors to fly under the radar, slipping past complex security perimeters.
In a recent example, threat actors exploited four vulnerabilities in Ivanti Connect Secure edge devices. From there, they were able to cover their tracks and immediately set up the BRICKSTORM backdoor. Once installed, BRICKSTORM can remotely execute commands and exfiltrate data. Retrospectively, it sets up communication with its command-and-control (C2) servers in the background, without alerting users or security teams.
“Normally, installing a filter requires modifying a configuration file and restarting or reloading the application; however, the actor used a custom dropper that made the modifications entirely in memory, making it very stealthy and negating the need for a restart,” – Google
This unique methodology further increases the stealth of their operations. It further complicates our ability to detect and prevent those intrusions. Even worse, the malware’s months-long dwell time makes it harder on security teams. They don’t know how to identify the source of the first access.
Attack Targeting and Objectives
The operating objective of the BRICKSTORM campaign is focused on gaining access to email accounts of top staff members within target organizations. Threat actors focus on developers, system administrators, and anyone whose work tangentially serves the long-term goals of China’s economic competition. Their concern is very much on the people actually conducting espionage operations.
U.S. legal services, software-as-a-service (SaaS), Business Process Outsourcing (BPO), and technology industries are the main flag holders. They are facing unprecedented public and political attention and scrutiny. These actors have access to incredibly sensitive communications. Armed with this information, they can then conduct intelligence in order to gain competitive advantage or political leverage.
“These intrusions are conducted with a particular focus on maintaining long-term stealthy access by deploying backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools,” – GTIG
Even though the BRICKSTORM backdoor was discovered a few months ago, the developers are still hard at work. They recently added a “delay” timer to wait for a specific date before it establishes communication with its C2 server. This tactic helps in avoiding detection because it cuts down on live activity that could raise red flags to security teams.
Challenges in Detection and Mitigation
The level of sophistication of the BRICKSTORM campaign represents a serious challenge and a new battlefield reality for cybersecurity professionals. The bad guys are very sophisticated with how they lateral within networks and exfiltrate data. Such techniques produce a low volume of security warnings, making it difficult for the average organization to identify them.
On average, GTIG found BRICKSTORM to sit inside victim networks for about 393 days. This lengthy time operating under the radar highlights how successful their evasion tactics have proven to be.
“The actor employs methods for lateral movement and data theft that generate minimal to no security telemetry. This, coupled with modifications to the BRICKSTORM backdoor, has enabled them to remain undetected in victim environments for 393 days, on average.” – GTIG
Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, emphasized the severity of this threat:
“The BRICKSTORM campaign represents a significant threat due to its sophistication, evasion of advanced enterprise security defenses, and focus on high-value targets.”