"Brickstorm" backdoor in VMware vSphere: Warning of attack from China

The cybersecurity agencies of the USA and Canada, as well as the NSA warn of a sophisticated attack on VMware vSphere, in which actors in the service of the People's Republic of China are securing persistent access to systems of governments and IT companies. The organizations and the intelligence service have named the backdoor "Brickstorm". The Cybersecurity and Infrastructure Security Agency offers a detailed analysis. It also lists signs of compromise and provides recommendations for protection "against the widespread attack" from China. Eight samples from attacked organizations were analyzed for this purpose.

Urgent appeal to potential targets

According to the summary, the sophisticated malware can hide its communication, spread within infected networks, and automatically reinstall itself if there was an interruption. Those responsible would use the malware to secure persistent access. This could be used to steal credentials, among other things, and create hidden virtual machines, adds the Canadian Centre for Cyber Security. Operators of critical infrastructure – especially authorities and IT companies – should definitely check whether their systems are compromised and report it if necessary.

The warning, now published, underscores the "serious threat" posed by the People's Republic of China and the associated ongoing cybersecurity risks and costs for the USA, its allies, and necessary critical infrastructure, says CISA Director Madhu Gottumukkala: "These state-sponsored actors are not just infiltrating networks – they are embedding themselves to gain long-term access and enable disruption and sabotage." Therefore, the threat must be met with the appropriate seriousness. Speaking to Reuters, VMware's parent company Broadcom stated that they are aware of the warnings and are urging customers to update their technology. China has rejected the accusations.

(mho)