TZUTC: -0500
MSGID: 1534.consprcy@1:2320/105 2d3be817
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Under the radar - Google warns new Brickstorm malware was stealing data from
US firms for over a year

Date:
Thu, 25 Sep 2025 17:05:00 +0000

Description:
Chinese state-sponsored actors are at it again targeting legal, SaaS, and
government agencies.

FULL STORY

US organizations across the legal, technology, SaaS, and business process
outsourcing sectors were targeted by a new malware variant named Brickstorm
for over a year, leading to major data loss, experts have warned. 

Googles Threat Intelligence Group (GTIG) found the threat actors behind the
campaign are UNC5221, a suspected China-nexus threat known for stealthy
operations and long-term persistence. 

This group first targeted zero-day vulnerabilities in Linux devices and
BSD-based appliances, since these are often overlooked in asset inventories
and excluded from central logging. As such, they make for an ideal foothold
for the attackers.

Cyber-espionage 

Once inside, UNC5221 used Brickstorm to move laterally, harvest credentials,
and exfiltrate data with minimal telemetry. In some cases, the malware
remained undetected for more than a year, since the average dwell time was
said to be a mighty 393 days. 

In many cases, they would pivot from fringe devices to VMware vCenter and 
ESXi hosts, using stolen credentials to deploy Brickstorm and escalate
privileges. 

To maintain persistence, they modified startup scripts and deployed webshells
that allowed for remote command execution. They cloned sensitive virtual
machines without even powering them on, and thus avoiding triggering security
tools. 

The campaigns objectives appear to span geopolitical espionage, intellectual
property theft, and access operations. 

Since legal companies were targeted as well, the researchers suspected 
UNC5221 was interested in US national security, and trade topics, while
targeting SaaS providers could have been used to pivot into downstream
customer environments. 

To counter Brickstorm, Mandiant recommends a threat-hunting approach based on
tactics, techniques, and procedures (TTPs) rather than atomic indicators,
which have proven unreliable due to the actors operational discipline. 

The researchers urged businesses to update asset inventories, monitor
appliance traffic, and enforce multi-factor authentication .

======================================================================
Link to news story:
https://www.techradar.com/pro/security/under-the-radar-google-warns-new-bricks
torm-malware-was-stealing-data-from-us-firms-for-over-a-year

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426