- Google prevents UNC5221 targeting legal, technological and SaaS companies with malware in brickstorm for more than a year
- Campaign for espionage, intellectual property and access to long -term infrastructure
- Mandiant urges the hunt for threats based on TTP and stronger authentication to counter future attacks
American organizations in the legal, technological, SaaS and externalization of commercial processes have been targeted by a new variant of malicious software called Brickstorm for more than a year, leading to a major data loss, experts warned.
The threat group of Google (GTIG )’s threats found that threat actors behind the campaign are UNC5221, a suspected threat of China-Xexus known for furtive operations and long-term persistence.
This group first targeted zero-day vulnerabilities in Linux devices and BSD-based devices, as these are often overlooked in asset stocks and excluded from central logging. As such, they take an ideal establishment for attackers.
Cyber-espionage
Once inside, UNC5221 used the brick storm to move laterally, collect identification information and exfiltrate data with minimum telemetry. In some cases, malicious software has remained not detected for more than a year, because the average residence time would have been a powerful 393 days.
In many cases, they would pivot Fribing peripherals to VMware VCENTER and ESXI hosts, using stolen identification information to deploy BrickStorm and degenerate privileges.
To maintain perseverance, they modified the start -up scripts and deployed webshells which allowed the execution of the remote command. They clone sensitive virtual machines without even feeding them and thus avoid the triggering of safety tools.
The objectives of the campaign seem to extend over geopolitical spying, the theft of intellectual property and access operations.
Since legal companies were also targeted, the researchers suspected that the UNC5221 was interested in American national security and commercial subjects, while the targeting of SaaS suppliers could have been used to rotate in downstream customer environments.
To fight against Brickstorm, Mandiant recommends a threat hunting approach based on tactics, techniques and procedures (TTP) rather than atomic indicators, which proved to be unreliable due to the actor’s operational discipline.
Researchers have urged businesses to update asset stocks, monitor the trafficking of devices and apply multi-fateer authentication.
