Chinese state-sponsored threat actors are backdooring VMware vCenter and VMware ESXi servers with a malware program written in Go, allowing them to maintain long-term persistence in victim networks. According to a joint report by the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) organizations from the government services and facilities and IT sectors have been the primary targets.
The malware program, known in the security industry as BRICKSTORM, was first reported by researchers from Mandiant and Google’s Threat Intelligence Group in September. At the time, Google said the backdoor remained undetected for 369 days on average and was found inside the networks of US legal services firms, SaaS providers, business process outsourcers, and technology companies.
For its part, CISA has thus far analyzed eight separate BRICKSTORM samples, including one collected from a VMware vCenter server of an organization where the infection went undetected for over a year and a half allowing attackers to move laterally through the network.
