vSphere and BRICKSTORM Malware: A Defender's Guide

Key Takeaways

• Threat actors like UNC5221 target the vSphere virtualization layer (VCSA and ESXi) to establish deep persistence, bypassing traditional OS-level EDR.
• The BRICKSTORM attack chain involves exploiting edge appliances, lateral movement via harvested credentials, and deploying backdoors (BRICKSTORM, BRICKSTEAL, SLAYSTYLE) at the hypervisor level.
• Native vCenter security defaults and VAMI firewalls are insufficient; defense requires OS-level hardening of Photon Linux using iptables, auditd, and AIDE.
• A critical visibility gap exists because VCSA does not forward kernel-level audit logs by default, allowing attackers to wipe local evidence.
• Defenders must implement Zero Trust networking (VRF segmentation, PAWs) and transform the VCSA into a proactive sensor by bridging auditd and AIDE logs to a remote SIEM.

Affected Systems

• VMware vSphere 7.0 and 8.0
• vCenter Server Appliance (VCSA)
• ESXi Hypervisors
• Photon Linux OS

Vulnerabilities (CVEs)

• CVE-2026-22769
• VMSA-2021-0002

Attack Chain

The attack begins with initial access via an edge appliance exploit (e.g., CVE-2026-22769), allowing the threat actor (UNC5221) to deploy the SLAYSTYLE JSP webshell. Using harvested credentials, the attacker moves laterally to the vCenter Server Appliance (VCSA) and ESXi hypervisors, often enabling SSH via the VAMI interface. Once on the virtualization control plane, the attacker deploys the BRICKSTORM Go-based SOCKS proxy for C2 tunneling and the BRICKSTEAL Java Servlet Filter to scrape credentials from memory. Persistence is established by modifying startup scripts (e.g., /etc/rc.local.d) and creating transient SSO accounts, ultimately leading to the cloning of sensitive VMs and offline extraction of the NTDS.dit database.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: auditd, AIDE

The article provides specific auditd rules and AIDE (Advanced Intrusion Detection Environment) configuration snippets to detect malicious behavior and file modifications on the VCSA Photon OS.

Detection Engineering Assessment

EDR Visibility: None — The vCenter Server Appliance (VCSA) and ESXi hypervisors operate on specialized OS layers (Photon Linux, VMkernel) that do not support standard endpoint detection and response (EDR) agents. Network Visibility: Medium — Visibility requires explicit configuration of VRF segmentation, physical firewalls for North-South traffic, and OS-level iptables for East-West traffic logging. Detection Difficulty: Hard — Detecting these threats requires custom configuration of underlying appliance OS components (auditd bridging, AIDE initialization) that are typically treated as unmodifiable black boxes by administrators.

Required Log Sources

• auditd (Linux Audit Daemon)
• AIDE (File Integrity Monitoring)
• vCenter Application Events (VmClonedEvent, VmNetworkAdapterAddedEvent)
• SSO PrincipalManagement Events
• Photon OS iptables/syslog

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Threat actors are creating transient local SSO accounts to deploy backdoors.	vCenter SSO Audit Logs (com.vmware.sso.PrincipalManagement)	Persistence	Low
Attackers are modifying startup scripts or binaries to maintain persistence across reboots.	AIDE Syslog Events (AIDE_TRAP) and auditd (key=startup_scripts, key=execpriv)	Persistence	Low
Adversaries are executing unauthorized binaries with root privileges on the VCSA.	auditd logs (key=execpriv) tracking execve syscalls	Execution	Medium
Threat actors are cloning domain controllers and mounting the VMDKs offline to extract the NTDS.dit database.	vCenter Events (VmClonedEvent followed by VmDiskHotPlugEvent)	Credential Access / Exfiltration	Medium
Compromised internal assets are attempting to brute-force or access restricted VCSA management ports.	Photon OS iptables logs (VCSA_FW_DROP) correlated with Failed Login Attempts	Lateral Movement	Low

Control Gaps

• Lack of native EDR support on VCSA and ESXi.
• Default VCSA logging does not forward kernel-level auditd logs to remote syslog.
• VCSA native VAMI firewall lacks egress filtering and granular port control.
• VCSA shell history (.bash_history) is not forwarded remotely and is easily cleared.

Key Behavioral Indicators

• AIDE_TRAP syslog tags indicating filesystem differences.
• auditd events with key="execpriv", key="startup_scripts", or key="privileged".
• VCSA_FW_DROP kernel messages indicating blocked management access.
• VmNetworkAdapterAddedEvent on sensitive VMs indicating stealth pivoting.

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Disable SSH enablement via the VAMI interface.
• Restrict vpxuser shell access on ESXi 8.0+ hosts using 'esxcli system account set -i vpxuser -s false'.
• Enforce MFA on vCenter web logins.

Infrastructure Hardening

• Implement VRF segmentation to isolate the Management VLAN from all user and guest VM networks.
• Configure Photon OS-level iptables with a 'Default Deny' posture instead of relying solely on the VAMI GUI firewall.
• Enable vSphere VM Encryption and vTPM for all Tier-0 assets (Domain Controllers, PAM vaults).
• Bridge auditd and AIDE logs to a remote SIEM via TLS-encrypted syslog (TCP 6514).

User Protection

• Mandate that all vSphere administrative sessions originate from dedicated Privileged Access Workstations (PAWs).
• Utilize Privileged Access Management (PAM) solutions with credential injection to prevent memory scraping by malware like BRICKSTEAL.

Security Awareness

• Train administrators to treat the vCenter Server Appliance as Tier-0 infrastructure.
• Ensure security teams understand that operational vCenter events (e.g., VmClonedEvent) can be indicators of malicious data exfiltration.

MITRE ATT&CK Mapping

• T1078 - Valid Accounts
• T1136.001 - Create Account: Local Account
• T1543 - Create or Modify System Process
• T1070.002 - Clear Linux or Mac System Logs
• T1070.003 - Clear Command History
• T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow
• T1505.003 - Server Software Component: Web Shell
• T1090 - Proxy
• T1537 - Transfer Data to Cloud Account
• T1562.004 - Impair Defenses: Disable or Modify System Firewall
• T1021.004 - Remote Services: SSH

Additional IOCs

• Urls:
  • /manager/text/deploy - Tomcat endpoint targeted for deploying malicious WAR files like SLAYSTYLE (CVE-2026-22769).
  • /rest/com/vmware/cis/session - VAMI endpoint targeted via POST requests prior to unauthorized SSH enablement.
  • /web/saml2/sso/* - Endpoint targeted by BRICKSTEAL for memory scraping and credential theft.
• File Paths:
  • /etc/rc.local.d - Directory targeted for writing persistence scripts.
  • /root/.ssh/authorized_keys - Targeted for trapdoor persistence by adding unauthorized SSH keys.
  • /home/kos/auditlog/fapi_cl_audit_log.log - Tomcat audit log useful for detecting edge appliance exploitation.
  • /var/log/vmware/vami/vami-httpd.log - VAMI log recording unauthorized management interface access and SSH enablement.
• Command Lines:
  • Purpose: Disable vpxuser shell access to prevent lateral movement from vCenter to ESXi hosts. | Tools: esxcli | Stage: Defense/Hardening | esxcli system account set -i vpxuser -s false
  • Purpose: Anti-forensics technique to delete local audit logs. | Tools: rm | Stage: Defense Evasion | rm -rf /var/log/audit/*
  • Purpose: Anti-forensics technique to prevent shell commands from being written to bash history. | Tools: unset | Stage: Defense Evasion | unset HISTFILE
  • Purpose: Anti-forensics technique to clear the current shell command history. | Tools: history | Stage: Defense Evasion | history -c
  • Purpose: Enable remote syslog forwarding for auditd events. | Tools: sed | Stage: Defense/Hardening | sed -i 's/^active = no/active = yes/' /etc/audisp/plugins.d/syslog.conf