VerdantBamboo: Just Another BRICKSTORM in the Firewall
VerdantBamboo, a Chinese threat actor, compromised edge appliances including Egnyte Storage Sync, pfSense firewalls, and Synology NAS devices to deploy custom malware (BRICKSTORM, PLENET, AGENTPSD). The attackers exploited a compromised MSP and local privilege escalation misconfigurations to maintain long-term persistence, using the compromised devices to proxy traffic and bypass Microsoft 365 Conditional Access policies.
- filename/usr/local/bin/egnyte/egnyte_host_monitor_clientFile path for the AGENTPSD fallback payload on compromised Egnyte appliances
- filename/usr/local/libexec/ipsec/blacklistFile path for the BRICKSTORM payload on compromised pfSense firewalls
- filename/usr/sbin/luserputFile path for the BRICKSTORM payload on compromised Egnyte appliances
- md558d4eccc982c9e9b1b98aa62c514e53aBRICKSTORM Golang RAT executable
- md584ad78b2bab946c3677fdc28ebd8a774BRICKSTORM FreeBSD variant executable
- md595dc2289427ed29b8b996d0e3d1b78cbPLENET .NET Native AOT backdoor executable
- md598ee964edeb5a988c3bba8ea1e57fe0eAGENTPSD Python reverse shell executable
- sha1681075027553546c119ec447eb8df84633dcffceBRICKSTORM FreeBSD variant executable
- sha1e952c18272efa1c3d73d0a5381bcf443c02743feAGENTPSD Python reverse shell executable
- sha1f4d77958a12a0778283d3e679b24b18f82e332c4BRICKSTORM Golang RAT executable
- sha1f8d93c1769e877aae7e7d5c289a467b5ae371c7aPLENET .NET Native AOT backdoor executable
- sha25640d264cf9c73923932c3dfd52d20f46ff602be3fea8dc6ecc71aca46e6067bf5BRICKSTORM Golang RAT executable dropped on Egnyte Storage Sync
- sha256eb141a43958802727a6c813452450c10b92704bea4474ee5fd87c0a1be326e2ePLENET .NET Native AOT backdoor executable dropped on Synology NAS
- sha256ee41e06ed96182ce80cd4544a6abd5d7719c4a5c0e5ddb266a83842d39b99b0aAGENTPSD Python reverse shell executable dropped on Egnyte Storage Sync
- sha256f70abe93112637d3ec2f6c5e058ccac0307ebf63e496f38588cbfc17a8f8a264BRICKSTORM FreeBSD variant executable dropped on pfSense firewall
Detection / HunterGoogle
What Happened
A sophisticated hacking group known as VerdantBamboo targeted specialized network devices like firewalls and cloud storage systems that typically lack standard security monitoring. By breaking into these devices, often through a compromised IT service provider, the attackers were able to secretly install custom malicious software. This allowed them to hide their tracks, maintain access for over 18 months, and bypass security rules to access the victim's Microsoft 365 environment. Organizations should ensure their network appliances are closely monitored, updated, and not exposed directly to the internet without strong authentication.
Key Takeaways
- VerdantBamboo targets edge appliances (firewalls, NAS, storage sync) lacking EDR coverage to deploy custom malware.
- Attackers leveraged a compromised Managed Services Provider (MSP) to gain initial access to the victim organization.
- Three distinct malware families were used: BRICKSTORM (Golang/Rust), PLENET (.NET Native AOT), and AGENTPSD (Python).
- Compromised edge devices were used to proxy traffic and bypass Microsoft 365 Conditional Access policies.
- Persistence was achieved via modified cron jobs and exploiting local privilege escalation misconfigurations on the appliances.
Affected Systems
- Egnyte Storage Sync (Linux)
- pfSense Firewall (FreeBSD)
- Synology NAS
- Legacy Linux GroupWise server
Vulnerabilities (CVEs)
- Inadvertent local privilege escalation in Egnyte Storage Sync (fixed in v13.13)
Attack Chain
VerdantBamboo gained initial access to the victim's network via a compromised MSP pfSense firewall. They accessed an Egnyte Storage Sync appliance via SSH using valid credentials and escalated privileges using a sudo misconfiguration. The attackers deployed BRICKSTORM and AGENTPSD malware for persistence, modifying cron jobs to execute the payloads. They then used the compromised appliances as proxies to access the victim's Microsoft 365 environment, bypassing Conditional Access policies. After initial remediation, the attackers returned via an exposed firewall administrative interface, configured a web SSL VPN, and deployed the PLENET backdoor on a Synology NAS.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Censys
The article provides a Censys Platform query to fingerprint BRICKSTORM C2 servers based on HTTP responses, SSH banners, and Cloudflare certificates.
Detection Engineering Assessment
EDR Visibility: Low — The attackers specifically targeted edge appliances (firewalls, NAS, storage sync) that typically do not support EDR agents. Network Visibility: Medium — Network monitoring could detect anomalous SSH connections, DNS over HTTPS to public resolvers from appliances, or unusual proxy traffic to M365. Detection Difficulty: Hard — The lack of EDR on targeted devices, use of valid credentials, and blending of proxy traffic with legitimate M365 traffic makes detection challenging.
Required Log Sources
- Network flow logs
- VPN logs
- Firewall logs
- Authentication logs
- Syslog from edge appliances
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous SSH connections originating from VPN IP pools to internal edge appliances. | Network flow logs, Firewall logs | Lateral Movement | Medium |
| Evaluate whether edge appliances are making unexpected outbound connections to public DNS servers (e.g., 8.8.8.8) using TLS/HTTPS, which may indicate DNS over HTTPS evasion. | Network flow logs, DNS logs | Command and Control | Low |
| If you have visibility into appliance file systems, look for unauthorized modifications to /etc/crontab or /etc/rc.d/cron. | Syslog, File Integrity Monitoring | Persistence | Low |
| Consider hunting for unusual web SSL VPN configurations or new VPN user creations on perimeter firewalls. | Firewall logs, VPN logs | Initial Access | Low |
Control Gaps
- Lack of EDR on edge appliances
- Absence of MFA on local administrative accounts
- Permissive sudo configurations on vendor appliances
Key Behavioral Indicators
- Unexpected cron job creations on Linux/BSD appliances
- Execution of binaries from atypical paths like /usr/local/libexec/ipsec/ or /usr/sbin/ by unprivileged users
- Appliances acting as proxies for M365 authentication
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Identify and isolate any edge appliances (NAS, firewalls, storage sync) exhibiting anomalous outbound network traffic.
- Review VPN and firewall administrative logs for unauthorized access or configuration changes.
Infrastructure Hardening
- Ensure administrative interfaces for firewalls and edge appliances are not exposed directly to the internet.
- Enforce Multi-Factor Authentication (MFA) for all administrative access, including local accounts and VPN portals.
- Review and restrict sudo configurations on Linux-based appliances to prevent local privilege escalation.
User Protection
- Evaluate Conditional Access policies to ensure they cannot be easily bypassed by traffic originating from trusted internal IP spaces if those spaces are compromised.
Security Awareness
- Educate IT and MSP staff on the risks of default or shared credentials on network appliances.
MITRE ATT&CK Mapping
- T1078.003 - Valid Accounts: Local Accounts
- T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- T1053.003 - Scheduled Task/Job: Cron
- T1090.002 - Proxy: External Proxy
- T1133 - External Remote Services
- T1562.001 - Impair Defenses: Disable or Modify Tools
Additional IOCs
- File Hashes:
98ee964edeb5a988c3bba8ea1e57fe0e(MD5) - AGENTPSD Python reverse shell executablee952c18272efa1c3d73d0a5381bcf443c02743fe(SHA1) - AGENTPSD Python reverse shell executable58d4eccc982c9e9b1b98aa62c514e53a(MD5) - BRICKSTORM Golang RAT executablef4d77958a12a0778283d3e679b24b18f82e332c4(SHA1) - BRICKSTORM Golang RAT executable84ad78b2bab946c3677fdc28ebd8a774(MD5) - BRICKSTORM FreeBSD variant executable681075027553546c119ec447eb8df84633dcffce(SHA1) - BRICKSTORM FreeBSD variant executable95dc2289427ed29b8b996d0e3d1b78cb(MD5) - PLENET .NET Native AOT backdoor executablef8d93c1769e877aae7e7d5c289a467b5ae371c7a(SHA1) - PLENET .NET Native AOT backdoor executable
- File Paths:
/etc/cron.d/ssync- Cron file created by attackers for BRICKSTORM persistence/home/egnyteservice/ssync.sh- Script executed by cron to launch BRICKSTORM
- Command Lines:
- Purpose: Modify crontab to establish persistence for the AGENTPSD fallback backdoor | Tools:
crontab| Stage: Persistence - Purpose: Execute BRICKSTORM payload via FreeBSD rc.d cron script | Tools:
cron| Stage: Persistence |/usr/local/libexec/ipsec/blacklist
- Purpose: Modify crontab to establish persistence for the AGENTPSD fallback backdoor | Tools:
- Other:
PoRaSGw3jzQ8YSaz- Hardcoded pattern used in AGENTPSD command parsing