CISA Warns of ‘Ongoing’ Brickstorm Backdoor Attacks
Summary
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about “ongoing intrusions” by PRC-linked actors using the Brickstorm backdoor to target VMware vSphere environments, primarily at government and information-technology organisations. The advisory and a joint malware analysis with the NSA and the Canadian Cyber Security Centre build on earlier reporting by Mandiant and attribute sophisticated persistence and evasion capabilities to Brickstorm.
Brickstorm is a Go-based backdoor with self-reinstall functionality and layered, encrypted command-and-control channels (HTTPS, WebSockets, nested TLS) and uses DNS-over-HTTPS (DoH) to blend traffic. Recent intrusions focused on vCenter servers: attackers stole VM snapshots for credential extraction, created hidden rogue VMs and maintained long-term access. One documented intrusion started from a DMZ web server, escalated via service accounts and RDP to domain controllers, exfiltrated Active Directory data and MSP credentials, and moved into VMware infrastructure, with access lasting months.
The agencies did not attribute the activity to a named PRC group, though CrowdStrike has flagged a China-linked cluster called Warped Panda using Brickstorm in similar intrusions. Recommended mitigations include patching vSphere, inventorying and monitoring edge devices, disabling RDP/SMB from DMZ to internal networks, tightening service account privileges, and blocking unauthorised DoH and suspicious outbound traffic from VMware hosts.
Key Points
- CISA warns of ongoing Brickstorm backdoor intrusions targeting VMware vSphere in government and IT organisations.
- Brickstorm offers robust persistence (self-reinstall) and multi-layer encrypted C2 channels including DoH to blend with legitimate traffic.
- Attack chain observed: initial access via DMZ web server → service account credential theft → lateral RDP movement → AD database exfiltration → MSP credential use → VMware vCenter compromise.
- Once in vCenter, attackers can steal VM snapshots for credential extraction and spin up hidden rogue VMs to retain access.
- Agencies recommend patching vSphere, inventorying network edge devices, disabling RDP/SMB from DMZ, restricting service-account permissions, and blocking unauthorised DoH.
- CrowdStrike links a group called Warped Panda to similar activity, but the joint agency report does not name a specific PRC-backed group for the recent intrusions.
- Hardening VMware: monitor for unsanctioned VMs, restrict outbound Internet from ESXi and vCenter, and consider disabling SSH on ESXi hosts.
Context and relevance
This advisory sits at the intersection of two persistent trends: nation-state actors focusing on cloud/virtualisation management planes, and attackers using encrypted, blended channels (like DoH) to evade detection. Organisations that rely on VMware for critical infrastructure or provide managed services should treat vCenter and ESXi hosts as high-value targets and prioritise hardening and monitoring accordingly.
Author note (punchy)
If you run vSphere or manage MSP accounts, this is not one to skim. The report shows how a single compromised service account can be leveraged into full-blown, long-term access. Read the mitigation list and act — fast.
Why should I read this?
Short version: if your kit runs VMware, someone clever is trying to hide in it. This piece tells you how Brickstorm works, how attackers move from the DMZ into vCenter, and — most importantly — which practical steps actually reduce your risk. Handy if you want to skip wading through the full agency report but still know what to do next.