BRICKSTORM Campaign Uses MSP Credentials to Compromise Virtual Infrastructures
Summary:
More details on the BRICKSTORM campaign emerge, as Chinese nexus adversaries were seen leveraging Managed Service Provider (MSP) credentials for initial access. The attackers' strategy focused on high-value, centralized management platforms, specifically VMware vCenter servers and Active Directory Federation Services (ADFS), in both Windows and VMware ESXi environments.
The actors initially obtained a MSP’s account credentials, which were then leveraged to move laterally from internal domain controllers to the vCenter server. Once the vCenter management console was compromised, the threat actors engaged in severe post-exploitation activities, including stealing cloned virtual machine snapshots to extract further credentials, creating hidden rogue virtual machines, and exporting cryptographic keys from ADFS. By gaining control over the vCenter and ADFS environments, the attackers established total control over the virtual infrastructure and identity management systems.
Security Officer Comments:
This campaign serves as a critical warning for Managed Service Providers, highlighting them as a high-priority target due to the broad, multi-tenant access their credentials offer. The compromise of a single MSP account can lead to a cascade of compromises across numerous client environments, threatening both service availability and client trust.
CISA has provided several resources for network defenders:
Suggested Corrections:
1. Hardened Credential and Account Management
Since the campaign relies on compromising trusted accounts, the primary focus is on securing credentials:
The successful attacks targeted vulnerabilities in management platforms, requiring timely maintenance:
Organizations must improve their ability to detect and respond to covert, persistent threats:
https://fieldeffect.com/blog/brickstorm-campaign-msp-credentials-compromise-virtual-infrastructures
https://www.cisa.gov/news-events/analysis-reports/ar25-338a
More details on the BRICKSTORM campaign emerge, as Chinese nexus adversaries were seen leveraging Managed Service Provider (MSP) credentials for initial access. The attackers' strategy focused on high-value, centralized management platforms, specifically VMware vCenter servers and Active Directory Federation Services (ADFS), in both Windows and VMware ESXi environments.
The actors initially obtained a MSP’s account credentials, which were then leveraged to move laterally from internal domain controllers to the vCenter server. Once the vCenter management console was compromised, the threat actors engaged in severe post-exploitation activities, including stealing cloned virtual machine snapshots to extract further credentials, creating hidden rogue virtual machines, and exporting cryptographic keys from ADFS. By gaining control over the vCenter and ADFS environments, the attackers established total control over the virtual infrastructure and identity management systems.
Security Officer Comments:
This campaign serves as a critical warning for Managed Service Providers, highlighting them as a high-priority target due to the broad, multi-tenant access their credentials offer. The compromise of a single MSP account can lead to a cascade of compromises across numerous client environments, threatening both service availability and client trust.
CISA has provided several resources for network defenders:
- Malware Analysis Report (MAR): malware-analysis-report-brickstorm-backdoor.pdf
- STIX JSON: MAR-251165.c1.v1.CLEAR_stix2.json
- SIGMA: CMA_SIGMA_251157_r2_BRICKSTORM_Activity_TLP_CLEAR_1.yaml
Suggested Corrections:
1. Hardened Credential and Account Management
Since the campaign relies on compromising trusted accounts, the primary focus is on securing credentials:
- Enforce Strict Credential Management: Implement policies for the regular rotation of service account credentials.
- Limit Privileges: Apply the principle of least privilege by limiting the permissions granted to service accounts, ensuring they can only perform the tasks necessary for their function and cannot be exploited for lateral movement.
- Monitor Credential Misuse: Use behavioral detection tools to continuously monitor how accounts are accessed, flagging logins from unusual locations, devices, or times, and identifying actions that fall outside a legitimate user’s normal behavior.
The successful attacks targeted vulnerabilities in management platforms, requiring timely maintenance:
- Prompt Vendor Patches: Apply patches and updates promptly for critical virtualization platforms, especially VMware vCenter and ESXi servers, to reduce the exposure window.
- Segment Management Interfaces: Isolate management interfaces (like those for vCenter or ADFS) from client-facing networks. This segmentation is crucial to limit the opportunity for attackers to move laterally from a compromised IT network into the critical virtualization management environment.
- Continuous Monitoring of VMware: Implement continuous monitoring specifically for VMware environments to detect anomalies such as the creation of rogue virtual machines or unusual encrypted traffic that may indicate the presence of the BRICKSTORM backdoor.
Organizations must improve their ability to detect and respond to covert, persistent threats:
- Behavioral Detection: Implement security solutions, such as Managed Detection and Response (MDR) services, that are capable of detecting early behaviors associated with compromise, even when the attackers are using valid, stolen credentials. This includes correlating activity across systems and flagging suspicious login patterns.
- Incident Response Playbooks: Develop or revise incident response playbooks that are specifically tailored to virtualization platforms to accelerate containment and recovery when a compromise is detected in the vCenter or ESXi environment.
https://fieldeffect.com/blog/brickstorm-campaign-msp-credentials-compromise-virtual-infrastructures
https://www.cisa.gov/news-events/analysis-reports/ar25-338a