Unknown intruders – likely China-linked spies – have broken into “numerous” enterprise networks since March and deployed backdoors, providing access for their long-term IP and other sensitive data stealing missions, all the while remaining undetected on average for 393 days, according to Google Threat Intelligence.

In a paper published today, the threat hunters attribute these network intrusions to UNC5221 and other related suspected Chinese threat groups. UNC5221 has been abusing zero-days in buggy Ivanti gear since at least 2023.

Google notes that this UNC crew is separate from Silk Typhoon (aka Hafnium), believed to be behind the December break-in at the US Treasury Department. 

UNC in Google’s threat-group naming taxonomy stands for “Uncategorized,” as opposed to FIN (financially motivated) or APT (advanced persistent threat, which means government-backed). [Editor’s note: read all about the various security companies’ methods for naming cyber crews here… then go bang your head against the wall.]

Since March, Google’s Mandiant Consulting and incident response team have responded to these UNC5221-related break-ins across legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and technology companies. 

“The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims,” Google Threat Intelligence wrote.

Don’t count on your EDR detecting this BRICKSTORM

A big reason why the intruders are able to remain on victims’ networks for so long before being detected is due to their use of backdoors – primarily BRICKSTORM – on appliances that do not support traditional endpoint detection and response (EDR) tools. This means that victim orgs’ security teams aren’t receiving any EDR alerts about suspicious activities.

Because of this, and to help organizations hunt for BRICKSTORM activity, Mandiant made available a free, downloadable scanner to run on *nix-based appliances and other systems without requiring YARA to be installed. It works by searching for a combination of strings and hex patterns unique to the backdoor.

And while Google declined to specify how many BRICKSTORM-activity victims it has identified since March, “the important thing to focus on is this group is scaling their capabilities,” Mandiant Consulting Chief Technology Officer Charles Carmakal told The Register. 

We have no doubt companies will use this tool and find active or historic compromises

“As more companies scan their systems, we anticipate we’ll be hearing about this campaign for the next one to two years,” he said. “We have no doubt companies will use this tool and find active or historic compromises.”

In at least one case, the suspected Chinese data thieves gained initial access by exploiting a zero-day vulnerability in an Ivanti Connect Secure edge device. Google declined to say which Ivanti zero-day the miscreants abused, but pointed to an earlier report about UNC5221 poking holes in CVE-2023-46805 and CVE-2024-21887 as early as December 2023, and “widespread exploitation” after Ivanti disclosed those two vulnerabilities in January 2024.

VMware, credentials, Microsoft inboxes among the targets

Once the attackers break in, they deploy backdoors to maintain persistent access, and the one they use most is BRICKSTORM. The malware, written in Go, includes SOCKS proxy functionality. And while there is evidence of a Windows BRICKSTORM variant, Mandiant’s responders haven’t seen this firsthand, but they have found the backdoor on Linux and BSD-based appliances from multiple manufacturers.

Plus, UNC5221, the threat hunters note, consistently targets VMware vCenter and ESXi hosts, and “in multiple cases, the threat actor deployed BRICKSTORM to a network appliance prior to pivoting to VMware systems.” In these instances, the intruders used valid credentials – likely stolen by the malware running on the network appliances – to move laterally to a vCenter server in the victims’ environments.

Based on malware samples recovered from various victim orgs, UNC5221 also appears to have modified BRICKSTORM making it even more difficult to detect. Some, we’re told, were obfuscated using Garble, some use a new version of the custom wssoft library, and at least one had a “delay” timer built-in.

This timer waited for a hard-coded future date before beginning to beacon to the configured command and control (C2) domain. “Notably, this backdoor was deployed on an internal vCenter server after the victim organization had begun their incident response investigation, demonstrating that the threat actor was actively monitoring and capable of rapidly adapting their tactics to maintain persistence,” the threat intelligence team wrote.

It’s also worth noting that Mandiant didn’t document any reuse of C2 domains – or even malware samples – and this makes traditional indicators of compromise (IOCs) largely obsolete.

In another investigation, the attackers installed a malicious Java Servlet filter for the Apache Tomcat server that runs the web interface for vCenter. This code is designed to run every time the web server receives an HTTP request. While installing a filter usually requires modifying a config file and then restarting the application, in this case the intruders used a custom dropper that made the modifications in memory, rather than requiring a restart – again adding to the stealthiness of the malware. 

Mandiant tracks this malicious filter as BRICKSTEAL, and says it is able to decode the HTTP Basic authentication header, which may contain a username and password. “Many organizations use Active Directory authentication for vCenter, which means BRICKSTEAL could capture those credentials,” the report warns.

In many of these intrusions, the attackers also broke into email inboxes belonging to “key individuals.” These include developers, system administrators, and others “involved in matters that align with PRC economic and espionage interests.”

To access these inboxes, the snoops used Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes, both of which allow the application to access mail in any mailbox. 

And to steal files from the victims’ systems, UNC5221 used BRICKSTORM’s SOCKS proxy feature to tunnel from their workstation and directly access systems and web applications.

Additionally, in “several” of these break-ins, the attackers removed the malware samples from the compromised systems. “In these cases, the presence of BRICKSTORM was observed by conducting forensic analysis of backup images that identified the BRICKSTORM malware in place,” according to Google.

Hunting guidance

In addition to making available the scanner script, via GitHub, the Chocolate Factory also provides a lengthy section on hunting for BRICKSTORM activity on your network – while again noting that using IOCs aren’t the most useful way to do that when the attacker doesn’t reuse any C2 domains or malware samples. Instead, the threat intel analysts recommend a Tactics, Techniques, and Procedures (TTP)-based approach, deeming it a “necessity to detect patterns of attack that are unlikely to be detected by traditional signature-based defenses.”

This nine-step checklist starts with creating (or updating) an asset inventory that includes edge devices and other appliances that are generally not covered by traditional security tool stacks including EDR products. 

Use this inventory of appliances and management IP addresses to hunt for indications of malware beaconing in network logs – such as appliances communicating with the public internet from a management IP address when they don’t need to – as well as appliances accessing Windows systems and credentials and secrets, or enterprise apps accessing Microsoft 365 Exchange Online mailboxes, since all of these are hallmarks of this attacker.

Because UNC5221 regularly targets VMware vCenter and ESXi hosts, organizations should also hunt for cloning of sensitive virtual machines, creation of local vCenter and ESXi accounts, SSH enablement on the vSphere platform, and rogue VMs. The report provides detailed instructions on how to monitor for all of this, so be sure to check it out. Happy hunting. ®