Breaking: BRICKSTORM Malware Exploits Weak vSphere Security – No Vulnerability Required
Threat actors are actively targeting VMware vSphere environments using the BRICKSTORM malware, establishing persistence at the virtualization layer where traditional security tools fail. Google Threat Intelligence Group (GTIG) researchers have identified this campaign as a critical risk to vCenter Server Appliance (VCSA) and ESXi hypervisors.
“These intrusions are not the result of a product vulnerability,” said Stuart Carrera, Mandiant security researcher. “They exploit weak security architecture, poor identity design, and limited visibility within the virtualization layer.” The attack chain allows adversaries to operate beneath guest operating systems, bypassing endpoint detection and response (EDR) agents entirely.
Background: The Virtualization Visibility Gap
Virtualized control planes like vCenter and ESXi have historically received less security focus than traditional endpoints. They do not support standard EDR agents, creating a significant visibility gap that attackers exploit to maintain long-term persistence. BRICKSTORM specifically targets the VMware vSphere ecosystem, aiming for administrative control over every managed host and virtual machine.
“It’s a Tier-0 compromise,” Carrera added. “An attacker gains the same classification and risk profile as the highly sensitive assets the platform hosts, such as domain controllers or PAM solutions.” This means the entire organizational network becomes vulnerable once the virtualization layer is breached.
What This Means: Urgent Need for Infrastructure-Centric Defense
Organizations must treat the virtualization layer as a Tier-0 security asset requiring intentional, custom hardening. Relying on out-of-the-box defaults is insufficient. The VCSA, running on Photon Linux, typically hosts critical workloads like domain controllers and privileged access management solutions.
To address this, Mandiant has released a vCenter Hardening Script that enforces security configurations directly at the Photon Linux layer. “This script automates many of the recommended hardening steps,” said Carrera, “transforming the virtualization layer into a hardened environment capable of detecting and blocking persistent threats like BRICKSTORM.”
Key Mitigations for Defenders
- Harden identity and access – Implement least-privilege models for vSphere administrators and use multi-factor authentication.
- Enable host-based configuration enforcement – Apply security baselines across all ESXi hosts and VCSA instances.
- Improve visibility – Deploy monitoring tools that can inspect traffic at the virtualization layer, such as network-based detection or dedicated virtualization security platforms.
For details on implementing the hardening script, see the full background section above and the original Mandiant guide.
Expert Perspective
“These operations directly target the VMware vSphere ecosystem, specifically the VCSA and ESXi hypervisors,” the GTIG report states. “Attackers are not exploiting vulnerabilities; they’re exploiting weak security practices.” This underscores the urgency for organizations to immediately review their vSphere security posture.
Carrera concludes: “By implementing these recommendations, organizations can close the visibility gap and prevent adversaries from achieving long-term persistence at the virtualization layer.”