Chinese hackers have been targeting VMware vSphere servers with the Brickstorm malware, aiming to steal credentials and maintain long-term access. The joint advisory from CISA, NSA, and Cyber Security Centre highlights detection and prevention strategies for organizations. #Brickstorm #WarpPanda
Keypoints
- Brickstorm malware was used by Chinese hackers to compromise VMware vSphere environments.
- The malware employs multiple encryption layers and tunneling techniques for covert communication.
- Attackers moved laterally from DMZ web servers to internal VMware vCenter and domain controllers.
- Cryptographic keys and Active Directory data were stolen to facilitate ongoing access.
- CISA recommends scanning with YARA and Sigma rules, blocking unauthorized DNS-over-HTTPS, and network segmentation.