Mandiant Consulting, the security organization of Google Cloud, said on the 26th that it responded to multiple attacks that installed the BRICKSTORM backdoor on appliances without endpoint detection and response (EDR) agents installed.
The attacks are believed to be the work of UNC5221 and China-linked threat actors and used advanced forensic evasion and malware mutation techniques to persist undetected for an average of 393 days. The purpose of such sophisticated attacks is to maintain continuous access to the victim's environment to steal high-value intellectual property (IP) and sensitive data.
In this incident, a sophisticated cyberattack targeting core infrastructure was identified. The attack targeted essential service providers holding sensitive data, such as law firms, software-as-a-service (SaaS) providers, and technology companies, showing signs of securing long-term, covert access and exfiltrating information and intellectual property (IP).
The investigation found that the threat actors abused new device platforms such as VMware vCenter Server and ESX hosts, and, by using in-memory tampering, custom droppers, and obfuscation techniques to evade detection, ran the backdoor over a long period by modifying startup scripts. In particular, attacks targeting the U.S. legal sector were also noted as having the character of geopolitical espionage aimed at collecting information related to national security and international trade.
Charles Carmakal, chief technology officer (CTO) of Google Cloud's Mandiant Consulting, warned, "Attacks that use the BRICKSTORM backdoor are a significant threat to organizations because they evade advanced enterprise security defenses while concentrating on high-value targets," adding, "The access UNC5221 has obtained could extend beyond the victim organization to their SaaS customers or lead to the discovery of zero-day vulnerabilities."