Just in:
Iran widens energy threat as Hormuz battle escalates // Dubai-Botswana pact opens new commodity trade corridor // Guardian Fire expands Midwest reach with Nebraska deal // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // Dubai weighs turning organic waste into aviation fuel // Louis Vuitton Celebrates 130 Years of the Monogram // Enshi Suobuya Stone Forest in China Launches Rich Cultural Experiences to Welcome Southeast Asian Tourists // CyCraft Named a Sample Provider in the Gartner® Latest AI Reasoning Models Report—The Only Taiwan-Based Cybersecurity Provider Listed // AI tools sharpen cybercrime as quishing surges // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // Inflation In India Rising Sharply Since January 2026, Highest In June // Dealing.com claims record for tokenised stock access // Trump scraps Hormuz levy but tightens Iran blockade // DITP Launches THAI SELECT Festival 2026 in New York to Strengthen U.S. Market Opportunities for Thailand’s Food Industry // UK sets overnight social media curfew for teens // De Beers halts Venetia output amid diamond slump // “Achievements of National Aerospace Endeavours” Thematic Exhibition Makes First Stop at Hong Kong Science Park // TrendAI™ Named a Champion for the Fourth Consecutive Year in Omdia’s Global Cybersecurity Platform Ecosystems Leadership Matrix 2026 // Central & Western District Youth-to-Career Explo Connects Hong Kong Youth to Future Careers in AI Era // Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ //

Brickstorm exposes new appliance blind spot

A China-linked cyber-espionage group tracked as VerdantBamboo has been tied to a BRICKSTORM malware operation targeting Linux-based virtual appliances, firewalls and enterprise infrastructure, sharpening concerns over the security of systems that often sit outside mainstream endpoint monitoring.

The activity came to light after suspicious traffic was detected from a Linux-based virtual machine appliance during an incident response investigation. The inquiry found that attackers had used stolen administrative credentials to access a firewall, enabled web SSL VPN access and then moved further into the victim network. The case adds VerdantBamboo to a widening set of China-nexus clusters associated with BRICKSTORM, a stealthy remote access tool built for persistence, internal reconnaissance and covert command-and-control.

BRICKSTORM has emerged as one of the more consequential espionage implants aimed at network appliances and virtualisation environments. The malware was first documented as a Go-based backdoor and later appeared in Rust-based variants. Its modular design gives operators a remote shell, a SOCKS5 proxy for tunnelling traffic through compromised networks and a lightweight web server capable of listing and transferring files. Security researchers have also identified a custom library known as wssoft, which appears to handle task processing and communications.

ADVERTISEMENT

The latest case shows how attackers are exploiting the weak visibility around appliances that are rarely covered by conventional endpoint detection and response tools. Firewalls, storage synchronisation servers, VMware vCenter hosts, ESXi environments and network-attached storage devices can become high-value staging points because they control access, identity flows and internal routing. Once compromised, they allow attackers to blend into administrative traffic, capture credentials and pivot into more sensitive systems.

The VerdantBamboo intrusion also highlights the continuing use of legitimate access rather than noisy exploit chains once an initial foothold is obtained. Investigators found that the firewall’s administrative interface was exposed to the internet and that stolen administrator credentials were not protected by multi-factor authentication. The attackers then configured VPN access through the device and used it to reach internal systems, a pattern that fits a broader shift in state-linked intrusions toward “living off the land” techniques and trusted remote services.

BRICKSTORM’s technical evolution has made detection more difficult. Samples have used WebSockets for command-and-control, nested TLS, DNS-over-HTTPS and infrastructure hosted through cloud platforms or dynamic naming services. Some versions have been obfuscated, while others appear designed to mimic normal appliance behaviour. Earlier analyses found no consistent reuse of command-and-control domains across victims, suggesting careful operational discipline intended to frustrate broad indicator-based blocking.

The malware’s persistence features are equally significant. BRICKSTORM can monitor itself and restart or reinstall if interrupted. Some samples have been configured with delayed execution, allowing the implant to remain dormant until a specified date before contacting its command server. That capability can let operators survive initial remediation efforts and re-establish access after defenders believe a breach has been contained.

Government cyber authorities have already warned that BRICKSTORM has been used by China state-sponsored actors for long-term persistence against government services, facilities and information technology entities. Publicly analysed incidents include compromises of VMware vCenter servers, domain controllers and Active Directory Federation Services systems. One breach involved access from April 2024 until at least September 2025, underlining the long dwell times associated with this toolset.

ADVERTISEMENT

China has consistently denied allegations that it sponsors cyberattacks, while arguing that it is itself a major victim of cyber operations. Western governments and private threat intelligence teams, however, continue to link several long-running campaigns to China-nexus actors, particularly those targeting telecommunications, legal services, software providers, government bodies and managed service providers.

The focus on managed service providers is especially sensitive. Compromising an MSP can give attackers a trusted route into multiple downstream customers, including organisations with limited in-house security capacity. The VerdantBamboo case points to this risk by showing how stolen credentials and remote access pathways can turn one compromised support environment into a broader intrusion channel.

For enterprises, the main lesson is that appliances can no longer be treated as passive infrastructure. Security teams are being urged to inventory all edge devices, virtual appliances and management servers; enforce multi-factor authentication on administrative interfaces; restrict internet exposure; centralise appliance logs; monitor outbound traffic from systems that normally generate little communication; and hunt for unexplained WebSocket, DNS-over-HTTPS or TLS activity from management hosts.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ // UK sets overnight social media curfew for teens // Trump scraps Hormuz levy but tightens Iran blockade // Guardian Fire expands Midwest reach with Nebraska deal // “Achievements of National Aerospace Endeavours” Thematic Exhibition Makes First Stop at Hong Kong Science Park // Dealing.com claims record for tokenised stock access // Launch ceremony of third edition of Hong Kong Fashion Fest Held on July 9 // Central & Western District Youth-to-Career Explo Connects Hong Kong Youth to Future Careers in AI Era // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // Louis Vuitton Celebrates 130 Years of the Monogram // Iran widens energy threat as Hormuz battle escalates // EU prosecutors examine subsidies linked to Babiš // Dubai-Botswana pact opens new commodity trade corridor // Revolut clears first hurdle for Dubai crypto launch // US missiles disable tanker bound for Iran // Gadkari’s Ethanol Defence Is Losing The Public Argument // Inflation In India Rising Sharply Since January 2026, Highest In June // Rival cyber spies penetrate Pakistan police networks // CyCraft Named a Sample Provider in the Gartner® Latest AI Reasoning Models Report—The Only Taiwan-Based Cybersecurity Provider Listed // De Beers halts Venetia output amid diamond slump //