- Google warns UNC5221 targeted us legal, tech and saaS -companies with brick malware for over a year
- Campaign aimed at espionage, intellectual property theft and prolonged infrastructure access
- Mandiant calls on TTP-based threat hunting and stronger approval to address future attacks
US organizations across the legal, technology, SaaS and business processes that outsourcing sectors were targeted by a new malware variant named Brickstorm for over a year, which led to larger data loss, experts have warned.
Google’s threat information group (GIRL) found that the threat actors behind the campaign are UNC5221, a suspected China-Nexus threat known for stealthy operations and prolonged persistence.
This group first targeted zero-day vulnerabilities in Linux devices and BSD-based devices as these are often overlooked in asset stocks and excluded from central logging. As such, they make an ideal foothold for attackers.
Cyber-spyage
Once inside, UNC5221 used brick storms to move laterally, harvest information and exfiltrate data with minimal telemetry. In some cases, malware remained undetected for more than a year when the average stay time was said to be a mighty 393 days.
In many cases, they would turn from Fringe units to VMware VCENTER and ESXI hosts using stolen credentials to implement brick storm and escalate privileges.
To maintain the Persistence modified the Start -scripts and implemented webshells that enabled the execution of remote command. The cloned sensitive virtual machines without even turning on them and thus avoiding triggering safety tools.
The campaign’s goal seems to span geopolitical espionage, intellectual property theft and access operations.
As legal companies were also targeted, the researchers suspected that UNC5221 was interested in US national security and trade members, while targeted SaaS providers could have been used to turn into downstream customer environments.
In order to counter Brickstorm, Mandiant recommends a threat-hunting approach based on tactics, techniques and procedures (TTPS) rather than nuclear indicators that have proven unreliable due to the actor’s operational discipline.
The researchers urged companies to update asset stocks, monitor appliance traffic and enforce multifactor approval.
