惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
T
Threatpost
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - Franky
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
M
MIT News - Artificial intelligence
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
云风的 BLOG
云风的 BLOG
S
Security Affairs
P
Proofpoint News Feed
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
S
Security @ Cisco Blogs
H
Hacker News: Front Page
Security Archives - TechRepublic
Security Archives - TechRepublic
Vercel News
Vercel News
Engineering at Meta
Engineering at Meta
Know Your Adversary
Know Your Adversary
Y
Y Combinator Blog
美团技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
月光博客
月光博客
量子位
博客园_首页
The Last Watchdog
The Last Watchdog
D
DataBreaches.Net
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
The Register - Security
The Register - Security
Schneier on Security
Schneier on Security
H
Help Net Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
Google DeepMind News
Google DeepMind News
F
Full Disclosure
C
Cyber Attacks, Cyber Crime and Cyber Security
MyScale Blog
MyScale Blog
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
L
Lohrmann on Cybersecurity
S
Secure Thoughts
Stack Overflow Blog
Stack Overflow Blog
Cloudbric
Cloudbric
Microsoft Security Blog
Microsoft Security Blog

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
Suspected Chinese spies broke into 'numerous' enterprises
Jessica Lyons Jessica Lyons · 2025-09-24 · via The Register - Security: CSO

Unknown intruders – likely China-linked spies – have broken into "numerous" enterprise networks since March and deployed backdoors, providing access for their long-term IP and other sensitive data stealing missions, all the while remaining undetected on average for 393 days, according to Google Threat Intelligence.

In a paper published today, the threat hunters attribute these network intrusions to UNC5221 and other related suspected Chinese threat groups. UNC5221 has been abusing zero-days in buggy Ivanti gear since at least 2023.

Google notes that this UNC crew is separate from Silk Typhoon (aka Hafnium), believed to be behind the December break-in at the US Treasury Department

UNC in Google's threat-group naming taxonomy stands for "Uncategorized," as opposed to FIN (financially motivated) or APT (advanced persistent threat, which means government-backed). [Editor's note: read all about the various security companies' methods for naming cyber crews here... then go bang your head against the wall.]

Since March, Google's Mandiant Consulting and incident response team have responded to these UNC5221-related break-ins across legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and technology companies. 

"The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims," Google Threat Intelligence wrote.

Don't count on your EDR detecting this BRICKSTORM

A big reason why the intruders are able to remain on victims' networks for so long before being detected is due to their use of backdoors – primarily BRICKSTORM – on appliances that do not support traditional endpoint detection and response (EDR) tools. This means that victim orgs' security teams aren't receiving any EDR alerts about suspicious activities.

Because of this, and to help organizations hunt for BRICKSTORM activity, Mandiant made available a free, downloadable scanner to run on *nix-based appliances and other systems without requiring YARA to be installed. It works by searching for a combination of strings and hex patterns unique to the backdoor.

And while Google declined to specify how many BRICKSTORM-activity victims it has identified since March, "the important thing to focus on is this group is scaling their capabilities," Mandiant Consulting Chief Technology Officer Charles Carmakal told The Register

We have no doubt companies will use this tool and find active or historic compromises

"As more companies scan their systems, we anticipate we'll be hearing about this campaign for the next one to two years," he said. "We have no doubt companies will use this tool and find active or historic compromises."

In at least one case, the suspected Chinese data thieves gained initial access by exploiting a zero-day vulnerability in an Ivanti Connect Secure edge device. Google declined to say which Ivanti zero-day the miscreants abused, but pointed to an earlier report about UNC5221 poking holes in CVE-2023-46805 and CVE-2024-21887 as early as December 2023, and "widespread exploitation" after Ivanti disclosed those two vulnerabilities in January 2024.

VMware, credentials, Microsoft inboxes among the targets

Once the attackers break in, they deploy backdoors to maintain persistent access, and the one they use most is BRICKSTORM. The malware, written in Go, includes SOCKS proxy functionality. And while there is evidence of a Windows BRICKSTORM variant, Mandiant's responders haven't seen this firsthand, but they have found the backdoor on Linux and BSD-based appliances from multiple manufacturers.

Plus, UNC5221, the threat hunters note, consistently targets VMware vCenter and ESXi hosts, and "in multiple cases, the threat actor deployed BRICKSTORM to a network appliance prior to pivoting to VMware systems." In these instances, the intruders used valid credentials – likely stolen by the malware running on the network appliances – to move laterally to a vCenter server in the victims' environments.

Based on malware samples recovered from various victim orgs, UNC5221 also appears to have modified BRICKSTORM making it even more difficult to detect. Some, we're told, were obfuscated using Garble, some use a new version of the custom wssoft library, and at least one had a "delay" timer built-in.

This timer waited for a hard-coded future date before beginning to beacon to the configured command and control (C2) domain. "Notably, this backdoor was deployed on an internal vCenter server after the victim organization had begun their incident response investigation, demonstrating that the threat actor was actively monitoring and capable of rapidly adapting their tactics to maintain persistence," the threat intelligence team wrote.

It's also worth noting that Mandiant didn't document any reuse of C2 domains – or even malware samples – and this makes traditional indicators of compromise (IOCs) largely obsolete.

In another investigation, the attackers installed a malicious Java Servlet filter for the Apache Tomcat server that runs the web interface for vCenter. This code is designed to run every time the web server receives an HTTP request. While installing a filter usually requires modifying a config file and then restarting the application, in this case the intruders used a custom dropper that made the modifications in memory, rather than requiring a restart – again adding to the stealthiness of the malware. 

Mandiant tracks this malicious filter as BRICKSTEAL, and says it is able to decode the HTTP Basic authentication header, which may contain a username and password. "Many organizations use Active Directory authentication for vCenter, which means BRICKSTEAL could capture those credentials," the report warns.

In many of these intrusions, the attackers also broke into email inboxes belonging to "key individuals." These include developers, system administrators, and others "involved in matters that align with PRC economic and espionage interests."

To access these inboxes, the snoops used Microsoft Entra ID Enterprise Applications with mail.read or full_access_as_app scopes, both of which allow the application to access mail in any mailbox. 

And to steal files from the victims' systems, UNC5221 used BRICKSTORM's SOCKS proxy feature to tunnel from their workstation and directly access systems and web applications.

Additionally, in "several" of these break-ins, the attackers removed the malware samples from the compromised systems. "In these cases, the presence of BRICKSTORM was observed by conducting forensic analysis of backup images that identified the BRICKSTORM malware in place," according to Google.

Hunting guidance

In addition to making available the scanner script, via GitHub, the Chocolate Factory also provides a lengthy section on hunting for BRICKSTORM activity on your network – while again noting that using IOCs aren't the most useful way to do that when the attacker doesn't reuse any C2 domains or malware samples. Instead, the threat intel analysts recommend a Tactics, Techniques, and Procedures (TTP)-based approach, deeming it a "necessity to detect patterns of attack that are unlikely to be detected by traditional signature-based defenses."

This nine-step checklist starts with creating (or updating) an asset inventory that includes edge devices and other appliances that are generally not covered by traditional security tool stacks including EDR products. 

Use this inventory of appliances and management IP addresses to hunt for indications of malware beaconing in network logs – such as appliances communicating with the public internet from a management IP address when they don't need to – as well as appliances accessing Windows systems and credentials and secrets, or enterprise apps accessing Microsoft 365 Exchange Online mailboxes, since all of these are hallmarks of this attacker.

Because UNC5221 regularly targets VMware vCenter and ESXi hosts, organizations should also hunt for cloning of sensitive virtual machines, creation of local vCenter and ESXi accounts, SSH enablement on the vSphere platform, and rogue VMs. The report provides detailed instructions on how to monitor for all of this, so be sure to check it out. Happy hunting. ®