BRICKSTORM Malware Targets VMware vSphere – Urgent Hardening Required, Warn GTIG and Mandiant

By

Breaking: BRICKSTORM Campaign Exploits Virtualization Layer Weaknesses

A sophisticated malware campaign dubbed BRICKSTORM is actively targeting VMware vSphere environments, exploiting weak security configurations to gain persistent administrative control over virtualization layers, according to new research from Google Threat Intelligence Group (GTIG). The threat specifically targets vCenter Server Appliance (VCSA) and ESXi hypervisors, operating beneath guest operating systems where traditional endpoint detection and response (EDR) tools are ineffective.

BRICKSTORM Malware Targets VMware vSphere – Urgent Hardening Required, Warn GTIG and Mandiant
Source: www.mandiant.com

“These intrusions are not the result of a software vulnerability but rather the exploitation of weak security architecture, identity design, and a critical visibility gap in the virtualization control plane,” a GTIG researcher stated. The attack chain establishes long-term persistence by infiltrating the vSphere ecosystem, effectively rendering organizational tiering models obsolete.

Background: The Virtualization Layer Blind Spot

Virtualized environments, particularly VMware vSphere, have become prime targets for advanced persistent threats. The VCSA acts as the central administrative hub, often hosting tier‑0 workloads such as domain controllers and privileged access management solutions. Any compromise of the VCSA grants an attacker administrative control over all managed ESXi hosts and virtual machines.

Because standard security protections like EDR agents do not operate at the Photon Linux layer of the VCSA, attackers can operate unnoticed. “By persisting at the virtualization layer, threat actors bypass guest‑OS security controls entirely,” explained a Mandiant incident response expert. “This creates a blind spot that traditional security teams often overlook.”

What This Means: A Paradigm Shift for Infrastructure Defense

The BRICKSTORM campaign underscores the urgent need to treat virtualization infrastructure as a tier‑0 asset requiring dedicated hardening. Organizations must move beyond out‑of‑the‑box defaults and implement custom security configurations at both the vSphere and underlying Photon Linux layers.

BRICKSTORM Malware Targets VMware vSphere – Urgent Hardening Required, Warn GTIG and Mandiant
Source: www.mandiant.com

Mandiant has released a vCenter Hardening Script designed to automate security configurations directly on the Photon OS, closing the visibility gap. “This script enforces the essential hardening strategies and mitigating controls necessary to detect and block threats like BRICKSTORM,” a Mandiant representative noted. The script transforms the virtualization layer into a monitored, hardened environment.

Key Recommendations for Defenders

Given the sophistication of BRICKSTORM, defenders are urged to prioritize these measures as a critical part of their security strategy. The threat is active, and the window to harden environments is narrowing.

For more details on the technical attack chain, refer to the original GTIG report. The Mandiant hardening script and additional guidance are available through official channels.

Tags:

Related Articles

Recommended

Discover More

The Great Autonomous Vehicle Wager: Will Level 5 Self-Driving Cars Arrive by 2030?Germany Faces Resurgent Cyber Extortion Crisis as Data Leaks Skyrocket 92% in 2025GameStop’s Audacious eBay Bid: A David vs. Goliath Strategy?Bluetooth Tracker Hidden in Postcard Exposes Naval Vulnerability: Dutch Ship Tracked Across MediterraneanAnime Sensation 'Chainsaw Man' and Pixar's 'Hoppers' Headline This Weekend's Streaming Releases