The Cybersecurity and Infrastructure Security Agency, or CISA, has recently identified an advanced new malware variant known as BRICKSTORM. This malware has been directly tied to state-sponsored hacking initiatives that have emerged from the People’s Republic of China (PRC). In 2024, BRICKSTORM was first documented by Google Mandiant. Cybercriminals have utilized this exploit in successful cyberattacks to take advantage of dangerous vulnerabilities in Ivanti Connect Secure, most notably the zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887. Once systems are infected, the malware offers persistent access to those systems. This development is raising red flags for security professionals, particularly those working in U.S. government and information technology sectors.
BRICKSTORM is a custom backdoor implant that was written in the programming language Golang. This gives hackers interactive shell access to affected systems, enabling them to make file changes at will. This breadth of functionality—including the ability to browse files, upload files, download files, create files, and delete files—makes this malware a powerful Swiss Army knife for cybercriminals.
Technical Capabilities of BRICKSTORM
The power of BRICKSTORM is in its technical variety. The spyware communicates over several protocols, including HTTPS and WebSockets. It further integrates nested Transport Layer Security (TLS) into its command-and-control (C2) operations. This multi-protocol support allows hackers to stay under the radar by keeping communication with infected systems hidden.
Additionally, BRICKSTORM uses DNS-over-HTTPS (DoH) hiding its comms inside standard web traffic. This tactic increases the stealth of the malware while making it more difficult for cybersecurity teams to find and respond to attacks.
“BRICKSTORM uses custom handlers to set up a SOCKS proxy, create a web server on the compromised system, and execute commands on the compromised system.” – CISA
Additionally, the SOCKS proxy capability is a powerful tool to achieve lateral movement across any environment. This creates an opportunity for threat actors to move across environments undetected. This feature is the most worrisome for organizations as it allows massive scale infiltration and reconnaissance.
Targeting Government and IT Sectors
BRICKSTORM has mostly been in play against government entities and the information technology industry. The UNC5221 hacking group is implicated in BRICKSTORM. Their modus operandi is always to attack cases under the jurisdiction of North American entities. Yet their day-to-day operations make it clear they are collecting intelligence with the explicit intent of furthering PRC strategic objectives.
Aside from BRICKSTORM, this group has released two other Golang implants: Junction and GuestConduit. They further presented how these implants could be deployed undetected on ESXi hosts and guest VMs. By leveraging these supplementary tools, adversaries can extend their infiltration and domination over breached digital landscapes.
“The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests.” – CrowdStrike
According to reports, threat actors have gained access to employees’ email accounts. These workers are employed in industries that coincide with the direction laid out by Chinese leaders. This tactic shows their priority of collecting highly sensitive information linked to national security and international relations.
Incident Response and Mitigation Efforts
CISA will keep working with our private sector partners to track BRICKSTORM’s adoption and effects. The agency stressed the need for rapid incident response interventions to reduce the threat carried by this malware. Organizations are being urged to review their network security protocols and ensure that they have sufficient defenses against potential breaches.
In one high-profile example, attackers were able to compromise a web server residing in an organization’s demilitarized zone (DMZ). They achieved this through the use of a web shell. They leveraged this initial entry point to pivot laterally into an internal VMware vCenter server. There, they were able to successfully implant BRICKSTORM. Incidents like these serve as important reminders of the need for holistic security approaches, beyond perimeter protection and integrating internal network visibility and behavior detection.
“Warp Panda likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity.” – CrowdStrike
CrowdStrike has tracked evidence tying the hacking crew called Warp Panda to a broad array of cyberattackers, notable for their advanced technical skills. They show a deep level of OPSEC savviness. Their deep understanding of cloud computing ecosystems only serves to magnify the dangers they present.