Ethical Hacking News
Chinese spies have been breaking into numerous enterprise networks since March, deploying backdoors such as BRICKSTORM to remain undetected for 393 days. The suspected Chinese threat group, UNC5221, has exploited zero-day vulnerabilities in Ivanti gear and targets VMware vCenter and ESXi hosts consistently. Organizations should use Mandiant's free scanner to detect this activity and hunt for patterns of attack unlikely to be detected by traditional signature-based defenses.
Google Threat Intelligence has identified a suspected Chinese spy group (UNC5221) that has been breaking into enterprise networks since March, deploying backdoors such as BRICKSTORM. The threat hunters attribute these network intrusions to UNC5221 and other related suspected Chinese threat groups. BRICKSTORM is a highly persistent backdoor that can remain undetected on average for 393 days. Mandiant has made available a free scanner to help organizations detect BRICKSTORM activity. The attackers are using zero-day vulnerabilities, including those in Ivanti Connect Secure edge devices, to gain initial access to enterprise networks. BRICKSTORM is written in Go and includes SOCKS proxy functionality, making it difficult to detect on Linux and BSD-based appliances. The attackers have modified BRICKSTORM to evade detection by using obfuscation techniques such as Garble. Mandiant provides a nine-step checklist for organizations to hunt for BRICKSTORM activity and detect patterns of attack unlikely to be detected by traditional security tool stacks.
Google Threat Intelligence has recently published a paper highlighting the activities of suspected Chinese spies who have been breaking into numerous enterprise networks since March, deploying backdoors such as BRICKSTORM, which has enabled them to remain undetected on average for 393 days. The threat hunters attribute these network intrusions to UNC5221 and other related suspected Chinese threat groups.
The paper notes that this UNC crew is separate from Silk Typhoon (aka Hafnium), believed to be behind the December break-in at the US Treasury Department. Google's Mandiant Consulting and incident response team have responded to these UNC5221-related break-ins across legal services, software as a service providers, business process outsourcers, and technology companies.
The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims. The intruders are able to remain on victim networks for so long before being detected due to their use of backdoors – primarily BRICKSTORM – on appliances that do not support traditional endpoint detection and response (EDR) tools.
This means that security teams aren't receiving any EDR alerts about suspicious activities. To help organizations hunt for BRICKSTORM activity, Mandiant made available a free, downloadable scanner to run on *nix-based appliances and other systems without requiring YARA to be installed. The scanner works by searching for a combination of strings and hex patterns unique to the backdoor.
Mandiant's Chief Technology Officer Charles Carmakal stated that "the important thing to focus on is this group is scaling their capabilities." He also noted that as more companies scan their systems, they will find active or historic compromises. Carmakal predicted that organizations will use this tool and find active or historic compromises for the next one to two years.
In at least one case, the suspected Chinese data thieves gained initial access by exploiting a zero-day vulnerability in an Ivanti Connect Secure edge device. Google declined to say which Ivanti zero-day the miscreants abused but pointed to earlier reports about UNC5221 poking holes in CVE-2023-46805 and CVE-2024-21887 as early as December 2023.
Once the attackers break into enterprise networks, they deploy backdoors to maintain persistent access, with BRICKSTORM being the most commonly used malware. The BRICKSTORM backdoor is written in Go and includes SOCKS proxy functionality. It has been observed on Linux and BSD-based appliances from multiple manufacturers but not on Windows.
UNC5221 targets VMware vCenter and ESXi hosts consistently, deploying BRICKSTORM to a network appliance prior to pivoting to these systems. In some cases, the threat actor used valid credentials – likely stolen by malware running on the network appliances – to move laterally to a vCenter server in the victims' environments.
The attackers have also modified BRICKSTORM making it even more difficult to detect. Some versions were obfuscated using Garble, while others use a new version of the custom wssoft library and at least one had a "delay" timer built-in that waited for a hard-coded future date before beginning to beacon to the configured command and control (C2) domain.
The attackers also installed a malicious Java Servlet filter for the Apache Tomcat server that runs the web interface for vCenter. This code is designed to run every time the web server receives an HTTP request but uses a custom dropper that makes modifications in memory instead of requiring a restart.
Mandiant tracks this malicious filter as BRICKSTEAL, which can decode the HTTP Basic authentication header, potentially capturing sensitive credentials such as usernames and passwords. In some intrusions, the attackers broke into email inboxes belonging to "key individuals" including developers, system administrators, and others involved in matters aligning with PRC economic and espionage interests.
The attackers used Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes to access these inboxes. To steal files from victim systems, UNC5221 used BRICKSTORM's SOCKS proxy feature to tunnel from their workstation directly into systems and web applications.
In some cases, the attackers removed malware samples from compromised systems but were detected through forensic analysis of backup images that identified BRICKSTORM presence.
To help organizations detect this activity, Mandiant provides a lengthy section on hunting for BRICKSTORM activity on your network. The threat intel analysts recommend a Tactics, Techniques, and Procedures (TTP)-based approach to detect patterns of attack unlikely to be detected by traditional signature-based defenses.
The nine-step checklist starts with creating or updating an asset inventory that includes edge devices and other appliances generally not covered by traditional security tool stacks including EDR products. It then instructs users to use this inventory to hunt for indications of malware beaconing in network logs, such as appliances communicating with the public internet from a management IP address when they don't need to.
Organizations should also hunt for cloning of sensitive virtual machines, creation of local vCenter and ESXi accounts, SSH enablement on the vSphere platform, and rogue VMs. The report provides detailed instructions on how to monitor for these activities.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-Spies-Exploitation-of-Ivanti-Gear-and-BRICKSTORM-Backdoors-A-Threat-to-Global-Enterprise-Networks-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/24/google_china_spy_report/
https://en.wikipedia.org/wiki/HAFNIUM_(group)
https://attack.mitre.org/groups/G0125/
Published: Wed Sep 24 11:11:45 2025 by llama3.2 3B Q4_K_M
