- Google Warns UNC5221 went to legal, technological and SAAS companies with brick storm malware for more than a year
- Campaign aimed at espionage, intellectual property theft and access to long -term infrastructure
- Mandiant urges TTP -based threats and a stronger authentication to counteract future attacks
American organizations in the subcontracting sectors of legal processes, technology, SAAS and commercial processes were attacked by a new variant of malware called Brickstorm for more than a year, which led to a great loss of data, the experts warned.
The Threat Intelligence Group of Google (GTIG) discovered that threat actors behind the campaign are UNC5221, an alleged threat of China-Nexus known for stealthy operations and long-term persistence.
This group first went to zero day vulnerabilities on Linux devices and BSD -based appliances, since they are often overlooked in asset inventories and are excluded from central logging. As such, they create an ideal support point for attackers.
Cyberdispone
Once inside, UNC5221 used Brickstorm to move laterally, harvest credentials and exfiltrate data with minimal telemetry. In some cases, the malware remained without being detected for more than a year, since it was said that the average permanence time was a powerful 393 days.
In many cases, they would turn marginal devices to VMware VCenter and ESXI, using stolen credentials to implement brick storms and increase privileges.
To maintain persistence, they modified initial scripts and implemented webshells that allowed the execution of remote commands. They cloned sensitive virtual machines without even turning them on and, thus, avoiding the trigger for security tools.
The objectives of the campaign seem to cover geopolitical espionage, theft of intellectual property and access operations.
Since legal companies were also attacked, the researchers suspected that UNC5221 was interested in the national security of the United States, and commercial issues, while SAAS suppliers could have been used to pivot in downstream client environments.
To counteract the brick storm, Mandiant recommends a threat hunting approach based on tactics, techniques and procedures (TTP) instead of atomic indicators, which have proven to be unreliable due to the actor’s operational discipline.
The researchers urged companies to update asset inventories, monitor appliance traffic and enforce multifactor authentication.
