Chinese threat actors deployed a custom Linux backdoor on compromised network edge devices to maintain persistent access into the networks of US legal services firms, software-as-a-service (SaaS) providers, business process outsourcers and technology companies.
On average, these backdoors remained undetected for 393 days and were used as a staging point for lateral movement to VMware vCenter and ESXi hosts, Windows workstations and servers and Microsoft 365 mailboxes.
“The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims,” researchers from Mandiant and Google’s Threat Intelligence Group found during their incident response engagements.
The researchers attribute these attacks to a group it tracks as UNC5221, which has activity overlaps with another China-based state-sponsored threat actor known in the industry as Silk Typhoon, though Google believes it to be different. The group’s main tool is a backdoor written in Go for Linux and BSD devices that Mandiant has dubbed BRICKSTORM.
Most network appliances and other edge devices don’t have traditional endpoint detection and response tools deployed on them and generally fall outside the scope of SIEM log monitoring solutions. This makes detecting BRICKSTORM implants very hard without active threat hunting, which is why Mandiant has now released a scanner script that can be run on appliances to look for associated indicators of compromise.
Initial access is hard to determine
UNC5221 is the only group known to have exploited CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances as zero-days since December 2023. However, the BRICKSTORM backdoor has been found on different types of appliances for various manufacturers without clear signs of vulnerability exploitation.
Part of why this evidence might be missing is because of the long attacker dwell time of over a year before the intrusions were identified, which exceeds the normal internal log retention periods on such devices. And if the logs are not collected and stored in a centralized solution, there is no way to tell how an appliance was originally compromised.
“Despite these challenges, a pattern in the available evidence points to the actor’s focus on compromising perimeter and remote access infrastructure,” Mandiant researchers found.
Targeting virtual machines
BRICKSTORM has also been found on VMware vCenter and ESXi servers where it was deployed using valid credentials that were likely stolen from compromised network appliances.
The attackers also deployed a Java Servlet filter on the web server that runs the vCenter web management interface. The filter dubbed BRICKSTEAL by Mandiant allowed them to intercept HTTP requests to the login page which can contain usernames and passwords. Users who typically access vCenter have a high level of privilege inside the enterprise.
In addition, the attackers deployed a web shell dubbed SLAYSTYLE on vCenter that can receive commands over HTTP and execute them on the system. In other cases, the attackers enabled the SSH service on vCenter though the web interface and then used the SSH access to deploy BRICKSTORM.
The attackers also used VMware vCenter to clone existing virtual machines for Windows servers acting as domain controllers, SSO identity providers and secret vaults. They then mounted the file systems of those virtual machines and extracted credentials stored inside. Those credentials were then used for further lateral movement to other systems.
Stealing mailboxes and code
One common theme across intrusions was the attackers using the Microsoft Entra ID Enterprise Applications with stolen credentials to access Microsoft 365 mailboxes of developers, system administrators or individuals involved in activities that present economic and espionage interest.
BRICKSTORM also acts as a SOCKS proxy allowing attackers to directly access systems and web applications on the enterprise network. The attackers used this tunneling feature to exfiltrate files of interest collected from workstations or archived code repositories.
How attackers selected their targets
“Recent intrusion operations tied to BRICKSTORM likely represent an array of objectives ranging from geopolitical espionage, access operations, and intellectual property (IP) theft to enable exploit development,” the Google researchers found.
For example, legal services firm were likely targeted to gather information related to the US national security and trade, while SaaS providers were targeted to obtain their customers’ data or to potentially gain access further downstream into their customers’ environments.
Technology companies were targeted for intellectual property theft, but the stolen source code could also be analyzed to discover vulnerabilities in their products and develop zero-day exploits.
Mandiant’s report contains detailed guidance on how organizations should perform threat hunting that focuses on TTPs rather than IOCs in order to detect patterns of attack. That’s because UNC5221 used different BRICKSTORM samples and command-and-control servers for every individual victim.
“Foundational to the success of any threat hunt is an asset inventory that includes devices not covered by the standard security tool stack, such as edge devices and other appliances,” the researchers found. “Because these appliances lack support for traditional security tools an inventory is critical for developing effective compensating controls and detections.”
No Responses