Threat Research

vSphere and BRICKSTORM Malware: A Defender’s Guide

GoogleCloudIntel
vSphere and BRICKSTORM Malware: A Defender’s Guide
This article details Mandiant and GTIG findings on persistent BRICKSTORM operations that target the VMware vSphere control plane (VCSA and ESXi) and the Photon OS, and it prescribes a four-phase, infrastructure-centric hardening strategy to prevent and detect those intrusions. It emphasizes Photon OS–level firewalling and logging (auditd, AIDE), strict identity/network segmentation (PAWs, PAM, Zero Trust), VM encryption, and forensic remote logging to expose actions such as startup script injections and VMDK theft. #BRICKSTORM #VCSA

Keypoints

  • Threat actors target the vSphere control plane (VCSA and ESXi) to achieve persistence below the guest OS where EDRs do not operate, giving them full administrative control and access to VMDKs.
  • These intrusions leverage weak architecture and identity design rather than zero-day product vulnerabilities, exploiting default/configuration gaps like enabled SSH/VAMI and insufficient MFA for SSO accounts.
  • Mandiant recommends a four-phase hardening program: Benchmarking/base controls, Identity Management (PAWs/PAM), Network Hardening (Zero Trust segmentation and strict ingress/egress rules), and Logging/Forensic Visibility (auditd, AIDE, remote syslog).
  • OS-level controls on the Photon Linux layer (iptables/nftables, auditd bridge, AIDE, remote syslog over TLS) are essential because the VAMI GUI firewall and default logging are insufficient and tamperable by a compromised vCenter admin.
  • Mitigations to prevent silent data exfiltration include mandatory VM-level encryption, vTPM/Secure Boot, vMotion encryption, separate KMS for Tier-0 assets, and removing clone/export privileges from standard admin roles.
  • Host-based and network-level segmentation (immutable VLANs, VRF, physical ingress/egress filtering, NSX DFW for East-West) and PAW-only management access dramatically reduce lateral movement and exposure of the management plane.
  • Detection relies on behavioral telemetry (auditd syscall keys, AIDE integrity alerts, iptables drop logs, vCenter events like VmClonedEvent) forwarded to a hardened SIEM with defensible timestamps and long retention.

MITRE Techniques

  • [T1078 ] Valid Accounts – Use of compromised or legitimate administrative credentials to access vCenter and ESXi; quote: ‘MFA on vCenter web login prevents compromised Active Directory credentials from granting full access.’
  • [T1136 ] Create Account – Creation of transient local SSO accounts used to deploy backdoors and then deleted; quote: ‘Creates local accounts, deploys backdoors, and deletes the accounts within minutes.’
  • [T1070 ] Indicator Removal on Host – Deleting local forensic artifacts to cover tracks, including audit logs; quote: ‘rm -rf /var/log/audit/* to delete the evidence.’
  • [T1059 ] Command and Scripting Interpreter – Use of shell tools and scripts (sed, chmod, rpm) to modify startup scripts and execute payloads; quote: ‘Actors use sed to inject code into startup scripts and then run chmod +x.’
  • [T1547 ] Boot or Logon Autostart Execution – Persisting via startup script injections and /etc/rc.local.d modifications to achieve persistence across reboots; quote: ‘attempts to write a persistence script to /etc/rc.local.d or modify a startup file.’
  • [T1003 ] Credential Dumping – Memory scraping and sudo-assisted extraction of credentials/config to enable lateral movement and credential abuse (BRICKSTEAL); quote: ‘BRICKSTEAL requires sudo to scrape memory and config files.’
  • [T1210 ] Exploit Public-Facing Application – Deploying malicious WARs via Tomcat manager (CVE-2026-22769) to gain initial access or deploy tools like SLAYSTYLE; quote: ‘Detects requests to /manager/text/deploy (CVE-2026-22769) to deploy malicious WAR files like SLAYSTYLE.’
  • [T1105 ] Ingress Tool Transfer – Transferring/installing tooling or packages (e.g., RPM installers) onto the appliance to deploy malware; quote: ‘Detects SLAYSTYLE: Logs the execution of the RPM installer.’
  • [T1005 ] Data from Local System – Direct access to VMDK files and underlying storage for offline exfiltration of Tier-0 assets; quote: ‘Access to the underlying storage (VMDKs) of every application, bypassing operating system permissions and traditional file system security.’

Indicators of Compromise

  • [IP Address ] VMware update servers referenced for allowed egress – 162.159.140.167, 172.66.0.165 (allowed VCSA update endpoints).
  • [File Path ] Forensic and persistence artifacts on VCSA/Photon OS – /var/log/audit/audit.log, /root/.bash_history (shell history), and other config files like /etc/audisp/plugins.d/syslog.conf.
  • [Service / Port ] Management-plane access vectors – TCP/5480 (VAMI), TCP/22 (SSH), TCP/443 (vCenter UI/API) used in enablement, shell access, and API sessions.
  • [Malware / CVE ] Named threats and exploit identifiers – BRICKSTORM, BRICKSTEAL, SLAYSTYLE, and CVE-2026-22769 (Tomcat manager deploy path exploited).
  • [Log Tags / Events ] High-value telemetry and event names to monitor – VmClonedEvent, VmNetworkAdapterAddedEvent, AIDE_TRAP, auditd keys like key=”execpriv” and iptables kernel message VCSA_FW_DROP.
  • [File Types / VM Artifacts ] Virtual disk and VM metadata indicators – VMDK files and .vmx unregistered VM files referenced as targets for offline theft and hidden/rogue VMs.

Read more: https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide/