With state-sponsored actors increasingly targeting the foundational layers of our digital infrastructure, the threat landscape is shifting from endpoints to the very fabric of virtualization. We’re joined by Maryanne Baines, a leading authority in cloud technology, to dissect the recent warnings about the Brickstorm malware. She will delve into the technical sophistication of this new threat, exploring its methods for achieving unprecedented persistence and stealth within VMware environments. We will discuss the grave implications of hypervisor-level compromise, the resulting blindness of traditional security tools, and what proactive measures organizations must take to defend these critical control planes.
The report mentions Brickstorm’s “self-watching” function for persistence and its use of DNS-over-HTTPS. Can you detail the process of how these features combine to create such a resilient backdoor, and share an example of how this might evade a typical security team’s detection playbook?
Absolutely, the combination is what makes Brickstorm so insidious. Think of them as two sides of the same coin: survival and stealth. The “self-watching” function is a persistence mechanism on steroids. It’s a continuous health check. If a security analyst spots the malicious process and kills it, or if a system reboot interrupts it, the watchdog component immediately reinstalls or restarts the main malware payload. This creates a frustrating game of whack-a-mole for defenders, as the threat just keeps coming back. Then you have the DNS-over-HTTPS, or DoH, for command and control. A typical security playbook involves monitoring network traffic for connections to suspicious IP addresses or unusual DNS lookups. But DoH wraps those DNS queries inside standard, encrypted HTTPS traffic, usually to a legitimate provider like Google or Cloudflare. To a firewall or a network sensor, it just looks like the server is browsing the web securely. The malware’s C2 communications are effectively hidden in a haystack of legitimate encrypted traffic, making traditional signature-based detection almost useless.
Attackers are reportedly targeting VMware vCenter to steal VM snapshots and create rogue virtual machines. Could you walk us through the step-by-step implications of an attacker gaining this level of hypervisor control, and suggest a few key metrics for monitoring this specific kind of activity?
Gaining control of the hypervisor is the keys to the kingdom. It’s the foundational layer upon which the entire virtual environment is built. Once an attacker compromises the vCenter console, they are no longer just another user on the network; they become the architect of that network. The first thing they often do, as noted, is steal VM snapshots, particularly of critical servers like domain controllers. They can clone these snapshots, mount them in their own environment offline, and then use tools to extract cached credentials, service account passwords, and Active Directory secrets without triggering any live security alerts on the production machine. The second implication, creating rogue VMs, gives them a hidden, persistent base of operations. This rogue VM won’t have any of your company’s standard EDR or monitoring agents installed, making it a complete blind spot. From here, they can launch further attacks across the network. For monitoring, organizations must look beyond guest OS logs. Key metrics include tracking the frequency and initiator of VM snapshot creation—any unscheduled snapshot of a domain controller is a massive red flag. Also, monitor for the creation of new VMs outside of established change control windows and look for any abnormal resource consumption at the hypervisor level that can’t be attributed to a known virtual machine.
The article highlights a key concern: by targeting the hypervisor, Brickstorm can blind traditional EDR and SIEM tools. What alternative data sources or detection strategies should organizations prioritize to regain visibility, and can you share a story about how attackers have exploited such blind spots before?
This is the crux of the problem. Your security tools, like EDR and many SIEM log collectors, live inside the guest operating systems. When an attacker owns the hypervisor underneath, they can manipulate the reality presented to those tools. It’s like being a puppet master—they can intercept system calls, hide files, or mask network traffic before the EDR agent ever sees it. To regain visibility, you have to shift your focus from the guest to the host. Prioritize ingesting logs directly from the vCenter Server and the ESXi hosts themselves. These logs contain the ground truth of what’s happening at the virtualization layer—API calls, VM power cycles, datastore access, and host-level process execution. Another critical source is network flow data from the management network. In a past incident I reviewed, attackers used a compromised hypervisor to create a rogue VM specifically for data exfiltration. The EDRs on all the production servers saw nothing. The only anomaly was a sustained, high-volume data flow originating from the ESXi host’s own management IP address to an unknown external destination, a behavior that was completely out of character and was the thread that unraveled the entire intrusion.
Brickstorm functions as a SOCKS proxy for lateral movement and uses multiple encryption layers for command and control. Can you provide a hypothetical, step-by-step timeline of how an actor would use these capabilities together to move from a vCenter server to compromise an ADFS server?
It’s a very methodical and patient process. Let’s imagine a timeline. Day 1: The threat actor gains their initial foothold on the VMware vCenter server and deploys the Brickstorm malware. For the next few days, it does nothing but establish its encrypted C2 channel using WebSockets nested inside TLS and DoH, looking like benign traffic. Day 5: The attacker activates the SOCKS proxy function. Now, any action they take will be routed through the vCenter server, making their movements appear as legitimate administrative activity originating from a trusted source. Day 7: They use their vCenter access to clone a recent snapshot of a domain controller. They spend the next week offline, cracking credentials from that snapshot. Day 15: Armed with a compromised domain administrator account, they pivot. Using the SOCKS proxy on vCenter, they connect to the Active Directory Federation Services (ADFS) server. The ADFS server sees a login attempt from the vCenter server’s IP with valid admin credentials, so it raises no flags. From there, they successfully export the sensitive cryptographic keys, as seen in the real-world incident. The entire compromise, from vCenter to ADFS, was laundered through a trusted system and hidden by layers of encryption.
What is your forecast for hypervisor-level threats?
My forecast is that this is just the beginning. For years, the industry has been laser-focused on endpoint and cloud application security, and attackers have taken note. The hypervisor and other management planes have become a soft, high-value target. I predict we will see a significant increase in malware custom-built for specific virtualization platforms, moving beyond just VMware to Hyper-V and cloud-native environments. Attackers will continue to exploit this fundamental blind spot, forcing the security industry to innovate. We’ll see a necessary shift toward “hypervisor-native” security tools and a much stronger emphasis on auditing and monitoring the control plane itself, treating it with the same level of scrutiny we’ve traditionally reserved for our most critical servers. The battleground is moving down the stack, and organizations that fail to adapt their visibility and defenses to this new reality will unfortunately find themselves playing catch-up against an adversary who already owns their foundation.
