TZUTC: -0500   
   MSGID: 1534.consprcy@1:2320/105 2d3be817   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Under the radar - Google warns new Brickstorm malware was stealing data from   
   US firms for over a year   
      
   Date:   
   Thu, 25 Sep 2025 17:05:00 +0000   
      
   Description:   
   Chinese state-sponsored actors are at it again targeting legal, SaaS, and   
   government agencies.   
      
   FULL STORY   
      
   US organizations across the legal, technology, SaaS, and business process   
   outsourcing sectors were targeted by a new malware variant named Brickstorm   
   for over a year, leading to major data loss, experts have warned.    
      
   Googles Threat Intelligence Group (GTIG) found the threat actors behind the   
   campaign are UNC5221, a suspected China-nexus threat known for stealthy   
   operations and long-term persistence.    
      
   This group first targeted zero-day vulnerabilities in Linux devices and   
   BSD-based appliances, since these are often overlooked in asset inventories   
   and excluded from central logging. As such, they make for an ideal foothold   
   for the attackers.   
      
   Cyber-espionage    
      
   Once inside, UNC5221 used Brickstorm to move laterally, harvest credentials,   
   and exfiltrate data with minimal telemetry. In some cases, the malware   
   remained undetected for more than a year, since the average dwell time was   
   said to be a mighty 393 days.    
      
   In many cases, they would pivot from fringe devices to VMware vCenter and    
   ESXi hosts, using stolen credentials to deploy Brickstorm and escalate   
   privileges.    
      
   To maintain persistence, they modified startup scripts and deployed webshells   
   that allowed for remote command execution. They cloned sensitive virtual   
   machines without even powering them on, and thus avoiding triggering security   
   tools.    
      
   The campaigns objectives appear to span geopolitical espionage, intellectual   
   property theft, and access operations.    
      
   Since legal companies were targeted as well, the researchers suspected    
   UNC5221 was interested in US national security, and trade topics, while   
   targeting SaaS providers could have been used to pivot into downstream   
   customer environments.    
      
   To counter Brickstorm, Mandiant recommends a threat-hunting approach based on   
   tactics, techniques, and procedures (TTPs) rather than atomic indicators,   
   which have proven unreliable due to the actors operational discipline.    
      
   The researchers urged businesses to update asset inventories, monitor   
   appliance traffic, and enforce multi-factor authentication .   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/under-the-radar-google-warns-new-bricks   
   torm-malware-was-stealing-data-from-us-firms-for-over-a-year   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426