The Mandiant and Google Threat Intelligence Group has been responding to and monitoring malware dubbed BRICKSTORM targeting “a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology.” According to Mandiant/Google, “the value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.”
Mandiant/Google believe the threat actors behind BRICKSTORM are closely related “China-nexus threat clusters.” The threat actors are using highly sophisticated means, including exploiting zero-day vulnerabilities targeting network appliances. The threat actors appear to have the goal of
long-term stealthy access by deploying backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools. The actor employs methods for lateral movement and data theft that generate minimal to no security telemetry. This, coupled with modifications to the BRICKSTORM backdoor, has enabled them to remain undetected in victim environments for 393 days, on average.
To respond to the threat, Mandiant “strongly encourages organizations to reevaluate their threat model for appliances and conduct hunt exercises for this highly evasive actor.” In order to assist organizations to hunt and protect, Mandiant has provided details on the threat actor lifestyle, including how the threat actor evades detection upon initial intrusion by using anti-forensic tools, establishes a foothold in the victim’s system, escalates privileges, moves laterally, and establishes persistence and completes its mission.
Mandiant has provided hunting guidance, a scanner script for BRICKSTORM, and other mitigation techniques that it urges organizations to consider. If your organization is part of the target industries, including legal services, prioritize hunting and protecting from BRICKSTORM.
[View source.]
