VerdantBamboo: Just Another BRICKSTORM in the Firewall

Volexity investigated a long-running compromise of an Egnyte Storage Sync appliance and the victim’s MSP, attributing the activity to VerdantBamboo (WARP PANDA, UNC5221) and the BRICKSTORM backdoor. The campaign also involved two previously undocumented malware families, AGENTPSD and PLENET, used to maintain access, pivot into Microsoft 365, and persist on Linux and BSD appliances. #VerdantBamboo #WARP_PANDA #UNC5221 #BRICKSTORM #AGENTPSD #PLENET #Egnyte #pfSense #Synology #Microsoft365

Keypoints

Volexity discovered suspicious traffic from an Egnyte Storage Sync Linux VM and traced it to a threat-actor-controlled domain using Cloudflare infrastructure.
The intrusion was attributed to VerdantBamboo, also tracked as WARP PANDA and UNC5221, a Chinese threat actor with a long-term foothold of at least 18 months.
BRICKSTORM was the primary implant on the Storage Sync system and the MSP’s pfSense firewall, with variants found on Linux and FreeBSD systems.
The threat actor used compromised credentials, SSL VPN access, and proxying via infected appliances to access the victim’s Microsoft 365 environment and evade Conditional Access.
Volexity identified two previously undocumented malware families: AGENTPSD, a Python reverse shell fallback, and PLENET, a .NET Native AOT backdoor deployed to a Synology NAS.
The victim organization’s MSP was also compromised, and Volexity assessed with medium confidence that the MSP breach enabled access to the victim organization.
Egnyte’s local privilege escalation issue was reported and fixed in Storage Sync v13.13 after Volexity’s disclosure.

MITRE Techniques

[T1078 ] Valid Accounts – VerdantBamboo accessed systems using stolen or valid credentials on SSH, administrative logins, and firewall access (‘used valid credentials via secure shell (SSH)’ / ‘connected with stolen administrative credentials’).
[T1021.004 ] Remote Services: SSH – The actor used SSH to access the Storage Sync system and to deploy malware on the Synology NAS (‘access the Storage Sync system using valid credentials via secure shell (SSH)’ / ‘connected over SSH to deploy… PLENET’).
[T1133 ] External Remote Services – The threat actor leveraged web-based SSL VPN access and exposed administrative interfaces to re-enter the network (‘via the victim organization’s web SSL VPN’ / ‘set up a web-based SSL VPN network and connected to it’).
[T1040 ] Network Sniffing / Proxying – Compromised appliances were used as proxy points to reach Microsoft 365 and blend with legitimate traffic (‘used the malware’s proxying capabilities’ / ‘establish proxy connections to access the victim organization’s M365 environment’).
[T1090.001 ] Proxy: Internal Proxy – BRICKSTORM provided SOCKS-style proxying and other relay functionality to pivot through compromised devices (‘socks – A Socks5 proxy server implementation’).
[T1053.003 ] Scheduled Task/Job: Cron – Persistence and execution were achieved by adding cron entries and modifying cron-related files (‘created a file in /etc/cron.d/’ / ‘modified the file /etc/crontab’ / ‘modified the file /etc/rc.d/cron’).
[T1548.004 ] Abuse Elevation Control Mechanism: Sudo and Sudo Caching – The attacker abused a sudo configuration that allowed the tee command to run as root, enabling arbitrary file writes (‘run the tee command as root via sudo’).
[T1105 ] Ingress Tool Transfer – The actor deployed additional malware and backdoors onto compromised appliances (‘deploy additional custom malware to a Synology NAS appliance’ / ‘deploy two backdoors’).
[T1219 ] Remote Access Software – BRICKSTORM, AGENTPSD, and PLENET functioned as remote access implants for shell access and command execution (‘remote access trojan (RAT)’ / ‘basic reverse shell’ / ‘Interactive shell’).
[T1204.002 ] User Execution: Malicious File – The malware executed commands and scripts through planted files and scheduled execution on the appliances (‘execute /home/egnyteservice/ssync.sh’ / ‘executed as root at 14:20’).
[T1027 ] Obfuscated Files or Information – BRICKSTORM used gobfuscate and PLENET used Native AOT hydration and UPX packing to hinder analysis (‘protected with the gobfuscate binary obfuscator’ / ‘packed with UPX’ / ‘dehydrated into a compressed block’).
[T1021.007 ] Remote Services: Web Protocols – BRICKSTORM and PLENET used WebSocket-based C2 communications (‘These BRICKSTORM instances use the websocket protocol handler’ / ‘PLENET C2 traffic uses the WebSocket protocol’).

Indicators of Compromise

[Domains ] C2 and beaconing infrastructure used by BRICKSTORM, AGENTPSD, and PLENET – threat-actor-controlled domain behind Cloudflare, same C2 domain found on the Storage Sync server, and a different domain used by AGENTPSD.
[IP addresses ] Network endpoints and public services observed in the intrusion – 8.8.8.8, Cloudflare IP addresses, and an IP address assigned by the victim organization’s firewall.
[File names ] Malware and persistence artifacts on Linux/BSD appliances – egnyte_host_monitor_client, luserput (sbin), blacklist, ovs-dbctl, and ssync.
[File paths ] Locations used for payload placement and persistence – /usr/sbin/, /etc/cron.d/, /etc/crontab, /usr/local/libexec/ipsec/, and /home/egnyteuser/ssync.sh.
[Hashes ] Sample identifiers for AGENTPSD, BRICKSTORM, and PLENET – MD5 98ee964edeb5a988c3bba8ea1e57fe0e and SHA256 ee41e06ed96182ce80cd4544a6abd5d7719c4a5c0e5ddb266a83842d39b99b0a; SHA256 40d264cf9c73923932c3dfd52d20f46ff602be3fea8dc6ecc71aca46e6067bf5; SHA256 f70abe93112637d3ec2f6c5e058ccac0307ebf63e496f38588cbfc17a8f8a264; SHA256 eb141a43958802727a6c813452450c10b92704bea4474ee5fd87c0a1be326e2e.
[Software / systems ] Affected appliances and platforms – Egnyte Storage Sync, pfSense firewall, Synology NAS, Microsoft 365, VMware, and Google Cloud DNS/DoH (8.8.8.8).

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print