Tech News
← Back to articles

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

2025-12-04 | original
read original related products more articles

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned network defenders of Chinese hackers backdooring VMware vSphere servers with Brickstorm malware.

In a joint malware analysis report with the National Security Agency (NSA) and Canada's Cyber Security Centre, CISA says it analyzed eight Brickstorm malware samples.

These samples were discovered on networks belonging to victim organizations, where the attackers specifically targeted VMware vSphere servers to create hidden rogue virtual machines to evade detection and steal cloned virtual machine snapshots for further credential theft.

As noted in the advisory, Brickstorm uses multiple layers of encryption, including HTTPS, WebSockets, and nested TLS to secure communication channels, a SOCKS proxy for tunneling and lateral movement within compromised networks, and DNS-over-HTTPS (DoH) for added concealment. To maintain persistence, Brickstorm also includes a self-monitoring function that automatically reinstalls or restarts the malware if interrupted.

While investigating one of the incidents, CISA found that Chinese hackers compromised a web server in an organization's demilitarized zone (DMZ) in April 2024, then moved laterally to an internal VMware vCenter server and deployed malware.

The attackers also hacked two domain controllers on the victim's network and exported cryptographic keys after compromising an Active Directory Federation Services (ADFS) server. The Brickstorm implant allowed them to maintain access to the breached systems from at least April 2024 through September 2025.

After obtaining system access, they've also been observed capturing Active Directory database information and performing system backups to steal legitimate credentials and other sensitive data.

Hackers' lateral movement in the victim's network (CISA)

​To detect the attackers' presence on their networks and block potential attacks, CISA advises defenders (especially those working for critical infrastructure and government organizations) to scan for Brickstorm backdoor activity using agency-created YARA and Sigma rules, and block unauthorized DNS-over-HTTPS providers and external traffic.

They should also take inventory of all network edge devices to monitor for suspicious activity and segment the network to restrict traffic from demilitarized zones to internal networks.

... continue reading

Related:
Find Hub gets a new boost as Google makes it part of the Android setup process
How to find and remove viruses on your Windows PC - 12 free methods that I can attest to
Amazon reportedly considering ending ties with the US Postal Service
Amazon is reportedly ready to drop its USPS deal if negotiations fall through
Slow Wi-Fi? 5 products I use to effectively fix my home internet once and for all

© 2025 GoKawiil