UNC5221, also tracked as VerdantBamboo, compromised Microsoft 365 environments using the Brickstorm backdoor along with newly identified malware Plenet and AgentPSD. The group maintained access for at least 18 months, also hit the victim’s MSP, and used a mix of stolen credentials, proxying, and custom backdoors to evade detection. #UNC5221 #VerdantBamboo #Brickstorm #Plenet #AgentPSD #Microsoft365 #Egnyte #Synology #pfSense #VMwarevSphere
Keypoints
- UNC5221 used Brickstorm to stay hidden in target environments for more than a year.
- The attackers gained access to Microsoft 365 through compromised Egnyte Storage Sync and stolen credentials.
- Volexity found the intrusion had lasted at least 18 months before detection.
- The threat actor also compromised the victim’s MSP and pivoted through its network.
- Plenet and AgentPSD were used as additional backdoors and fallback persistence tools.