CISA Warns of Chinese 'BrickStorm' Malware on VMware Servers: What Enterprises Must Know
Executive Summary
In mid-2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that Chinese state-sponsored hackers deployed the 'BrickStorm' malware to backdoor vulnerable VMware vSphere servers across multiple U.S. critical infrastructure sectors. Attackers exploited unpatched or insecurely configured vSphere environments to gain initial access, install persistent web shells, and enable lateral movement within networks. The campaign featured advanced evasion tactics, strong operational security, and targeted high-value assets, risking confidential data exposure, business disruption, and regulatory non-compliance for affected organizations.
This attack exemplifies a rising trend of sophisticated supply-chain and infrastructure attacks leveraging known vulnerabilities in virtualized server environments. With ongoing exploitation by nation-state actors and renewed regulatory focus on asset protection, organizations must reevaluate their segmentation, patching, and east-west visibility controls to mitigate similar threats.
Why This Matters Now
This incident highlights urgent risks from APTs leveraging advanced malware to target critical virtualization platforms, which are central to many organizations’ operations. The ongoing exploitation underscores the importance of rapid patching, robust segmentation, and improved east-west threat visibility to prevent deep and persistent breaches across hybrid and multi-cloud environments.
Attack Path Analysis
Attackers exploited vulnerabilities or misconfigurations on publicly exposed VMware vSphere servers to deliver the BrickStorm malware. Following initial access, they escalated privileges to gain administrative control over the target environment. The threat actors then moved laterally across east-west network paths, seeking to compromise other systems and virtual workloads. For persistence and remote command, the malware established encrypted channels for command & control communication. Data of interest was exfiltrated via covert or authorized egress pathways to external servers. Finally, attackers maintained persistence for espionage or launched disruptive actions, potentially affecting system availability or integrity.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited exposed VMware vSphere services or unpatched vulnerabilities to gain an initial foothold by deploying the BrickStorm malware.
Related CVEs
CVE-2023-34048
CVSS 9.8An out-of-bounds write vulnerability in VMware vCenter Server allows a remote attacker to execute arbitrary code.
Affected Products:
VMware vCenter Server – 7.0, 8.0
Exploit Status:
exploited in the wildCVE-2021-22005
CVSS 9.8An arbitrary file upload vulnerability in VMware vCenter Server allows a remote attacker to execute code.
Affected Products:
VMware vCenter Server – 6.5, 6.7, 7.0
Exploit Status:
exploited in the wildCVE-2023-20867
CVSS 7.8An authentication bypass vulnerability in VMware Tools allows an attacker to execute commands on guest VMs.
Affected Products:
VMware VMware Tools – 11.x, 12.x
Exploit Status:
exploited in the wildCVE-2023-46805
CVSS 9.8An authentication bypass vulnerability in Ivanti Connect Secure allows a remote attacker to execute arbitrary code.
Affected Products:
Ivanti Connect Secure – 9.x, 10.x
Exploit Status:
exploited in the wildCVE-2024-21887
CVSS 9.1A command injection vulnerability in Ivanti Connect Secure allows a remote attacker to execute arbitrary commands.
Affected Products:
Ivanti Connect Secure – 9.x, 10.x
Exploit Status:
exploited in the wildCVE-2023-46747
CVSS 9.8An authentication bypass vulnerability in F5 BIG-IP allows a remote attacker to execute arbitrary system commands.
Affected Products:
F5 BIG-IP – 16.x, 17.x
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Create Account
Command and Scripting Interpreter: PowerShell
Event Triggered Execution
Impair Defenses
Valid Accounts
Ingress Tool Transfer
Remote Services: SMB/Windows Admin Shares
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 8
CISA ZTMM 2.0 – Privileged Access Management
Control ID: Identity – 1.2
NIS2 Directive – Incident Handling Procedures
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
VMware vSphere servers targeted by Chinese BrickStorm APT malware create critical vulnerabilities in IT infrastructure requiring enhanced zero trust segmentation and threat detection capabilities.
Financial Services
Chinese APT attacks on VMware infrastructure threaten financial data integrity, demanding strengthened east-west traffic security, encrypted communications, and compliance with PCI/NIST frameworks.
Health Care / Life Sciences
BrickStorm malware targeting VMware servers poses severe HIPAA compliance risks, requiring multicloud visibility, anomaly detection, and secure hybrid connectivity for protected health information.
Government Administration
CISA warnings highlight critical national security implications of Chinese APT backdoors in government VMware infrastructure, necessitating immediate egress security and intrusion prevention measures.
Sources
- CISA warns of Chinese "BrickStorm" malware attacks on VMware servershttps://www.bleepingcomputer.com/news/security/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/Verified
- Joint malware analysis report on Brickstorm backdoorhttps://www.cyber.gc.ca/en/news-events/joint-malware-analysis-report-brickstorm-backdoorVerified
- CISA Joint Advisory Warns Critical Infrastructure of BRICKSTORM Malware Used by Chinese State-Sponsored Actorshttps://www.hstoday.us/subject-matter-areas/cybersecurity/cisa-joint-advisory-warns-critical-infrastructure-of-brickstorm-malware-used-by-chinese-state-sponsored-actors/Verified
- Chinese hackers used Brickworm malware to breach critical US infrastructurehttps://www.techradar.com/pro/security/chinese-hackers-used-brickworm-malware-to-breach-critical-us-infrastructureVerified
- Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timehttps://www.itpro.com/security/malware/chinese-hackers-are-using-stealthy-and-resilient-brickstorm-malware-to-target-vmware-servers-and-hide-in-networks-for-months-at-a-timeVerified
- CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systemshttps://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network segmentation, east-west visibility, and strong policy-driven controls from the Cloud Network Security Framework would have limited unauthorized lateral movement, enforced least privilege, and blocked suspicious egress used by BrickStorm. Real-time detection and microsegmentation would restrict attack propagation and surface actionable alerts for rapid response.
Control: Cloud Firewall (ACF)
Mitigation: Block or restrict inbound traffic to vulnerable workloads.
Control: Zero Trust Segmentation
Mitigation: Constrain movement to only explicitly authorized communications.
Control: East-West Traffic Security
Mitigation: Detect and restrict unauthorized lateral traffic in real time.
Control: Inline IPS (Suricata)
Mitigation: Identify and block known C2 traffic based on threat intelligence.
Control: Egress Security & Policy Enforcement
Mitigation: Alert or block unauthorized outbound data transfers.
Generate real-time alerts for malware behaviors and anomalous activity.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Management
- Security Operations
Estimated downtime: 30 days
Estimated loss: $5,000,000
Potential exposure of sensitive data, including credentials, cryptographic keys, and confidential organizational information.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce robust perimeter access controls using centralized cloud firewalls to limit direct access to critical management services.
- • Apply zero trust segmentation to workloads and tightly restrict lateral movement with microsegmentation policies.
- • Continuously monitor and inspect east-west and egress traffic for threat signatures, anomalies, and unauthorized data transfer attempts.
- • Deploy inline IPS and real-time anomaly detection to quickly identify and respond to C2 and persistence mechanisms.
- • Regularly audit network exposure and privilege assignments, ensuring the principle of least privilege across cloud and hybrid infrastructure.
