/etc/sysconfig/ directory.
Designed to work in virtualized environments: The CISA, NSA, and Canadian Cyber Center analysts note that some of the BRICKSTORM samples are virtualization-aware and they create a virtual socket (VSOCK) interface that enables inter-VM communication and data exfiltration.The malware also checks the environment upon execution to ensure it’s running as a child process and from a specific path. This is part of a set of self-monitoring capabilities that ensure its persistence by reinstalling and executing itself if it detects something is not running correctly.The malware mimics web server functionality for its command-and-control (C2) communication to blend in with legitimate traffic. It also provides a SOCKS5 proxy for attackers to tunnel traffic during lateral movement operations.In terms of features, BRICKSTORM allows threat actors to browse the file system and execute shell commands, providing them with complete control over the compromised system.”Once the secure connection to the C2 domain is established, Sample 1 uses a custom Go package wssoft2 to manage incoming network connections and to process commands it receives,” the CISA analysts said. “Commands are directed to one of three handlers based on the function it needs: SOCKS Handler, Web Service Handler, and Command Handler.”
Mitigations: The joint advisory includes indicators of compromise for the analyzed samples as well as YARA and Sigma detection rules. The agencies also make the following recommendations:
Upgrade VMware vSphere servers to the latest version.Harden your VMware vSphere environments by applying VMware’s guidance.Take inventory of all network edge devices and monitor for any suspicious network connectivity originating from these devices.Ensure proper network segmentation restricts network traffic from the DMZ to the internal network.Disable RDP and SMB from the DMZ to the internal network.Apply the principle of least privilege and restrict service accounts to only needed permissions.Increase monitoring for service accounts, which are highly privileged and have a predictable pattern of behavior (e.g., scans that reliably run at a certain hour of the day).Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic to reduce unmonitored communications.
Upgrade VMware vSphere servers to the latest version.Harden your VMware vSphere environments by applying VMware’s guidance.Take inventory of all network edge devices and monitor for any suspicious network connectivity originating from these devices.Ensure proper network segmentation restricts network traffic from the DMZ to the internal network.Disable RDP and SMB from the DMZ to the internal network.Apply the principle of least privilege and restrict service accounts to only needed permissions.Increase monitoring for service accounts, which are highly privileged and have a predictable pattern of behavior (e.g., scans that reliably run at a certain hour of the day).Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic to reduce unmonitored communications.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4101866/chinese-cyberspies-target-vmware-vsphere-for-long-term-persistence.html
