Posted in

VerdantBamboo Uses BRICKSTORM to Breach Firewalls and Appliances

by Rakesh0

A stealthy cyber-espionage campaign linked to a Chinese state-backed group has revealed new levels of persistence and sophistication in modern attacks. The group, known as VerdantBamboo, is leveraging BRICKSTORM malware to quietly infiltrate firewalls, storage systems, and network appliances—maintaining access for over a year without detection.

First uncovered by Volexity, the operation demonstrates how advanced persistent threat (APT) actors are increasingly targeting edge infrastructure—systems often overlooked by traditional endpoint security solutions.

Key Details

The intrusion came to light when investigators detected suspicious outbound traffic from an Egnyte Storage Sync appliance inside a corporate network.

Instead of communicating with legitimate Egnyte servers, the compromised system:

  • Connected to attacker-controlled domains
  • Hid traffic behind Cloudflare IP infrastructure
  • Used Google DNS (8.8.8.8) with DNS-over-HTTPS for stealth

Further investigation revealed that VerdantBamboo had:

  • Maintained access for at least 18 months
  • Compromised both the victim organization and its Managed Services Provider (MSP)
  • Used stolen credentials to bypass standard security controls

Even after initial remediation, the attackers re-entered the environment by:

  • Logging into exposed firewalls
  • Establishing malicious VPN tunnels
  • Deploying new backdoors on a Synology NAS device

Technical Analysis

BRICKSTORM Malware Architecture

At the center of the campaign is BRICKSTORM, a custom-built remote access trojan (RAT):

  • Written in Golang
  • Modular and customizable per target
  • Designed for environments lacking EDR visibility

On affected systems, BRICKSTORM was deployed in:

  • /usr/sbin/ on Egnyte appliances
  • /usr/local/libexec/ipsec/blacklist on pfSense firewalls

It was executed manually or via persistence mechanisms such as:

  • Modified cron jobs
  • Startup service configurations

Multi-Platform Deployment

The malware exists in multiple variants:

  • Linux ELF binaries for storage appliances
  • FreeBSD-compatible version for pfSense firewalls

To evade detection:

  • Code was obfuscated using gobfuscate
  • Minimal logging and network signatures were used

Additional Malware Tooling

VerdantBamboo’s toolkit included:

1. PLENET

  • Cross-platform backdoor
  • Built with .NET Core (Native AOT)
  • Designed for stealth and anti-analysis

2. AGENTPSD

  • Lightweight Python reverse shell
  • Used as fallback persistence
  • Installed at:
    • /usr/local/bin/egnyte/egnyte_host_monitor_client

Command-and-Control (C2) Techniques

The malware communicated with attacker infrastructure using:

  • HTTPS connections on port 443
  • Cloudflare-backed domains
  • OpenBSD-based SSH clients

Volexity identified a unique Censys fingerprint used to track C2 servers. Shortly after detection, all related infrastructure went offline—suggesting the attackers adapted quickly to evade monitoring.

MITRE ATT&CK Mapping

The campaign aligns with:

  • T1190 – Exploit Public-Facing Application
  • T1078 – Valid Accounts (credential abuse)
  • T1105 – Ingress Tool Transfer
  • T1547 – Persistence via Cron Jobs
  • T1567 – Exfiltration Over Web Services

Impact and Risks

Long-Term Undetected Access

The ability to maintain presence for 18 months highlights:

  • Gaps in monitoring non-traditional systems
  • Lack of visibility into appliances and embedded devices

Supply Chain Compromise via MSP

By breaching the MSP, attackers gained:

  • Credential access
  • Network topology insights
  • Indirect entry into downstream clients

This significantly amplifies the impact across multiple organizations.

Edge Device Targeting

Firewalls, NAS systems, and sync appliances:

  • Often lack EDR coverage
  • Are exposed to the internet
  • Serve as ideal entry points for persistent access

Resilient Re-Entry Techniques

The group’s ability to regain access after eviction demonstrates:

  • Strong operational discipline
  • Credential reuse exploitation
  • Multi-layered persistence strategies

Expert Recommendations

1. Secure Edge Infrastructure

  • Restrict direct internet access to:
    • Firewalls
    • NAS systems
    • Sync appliances
  • Enforce multi-factor authentication (MFA)

2. Patch Known Vulnerabilities

  • Apply updates for:
    • Egnyte Storage Sync (patched in v13.13)
  • Regularly audit firmware versions

3. Monitor Network Traffic

  • Detect:
    • Unusual outbound HTTPS traffic
    • DNS-over-HTTPS anomalies
  • Investigate connections to unknown domains

4. Audit Privileged Accounts

  • Review sudo permissions
  • Remove unintended privilege escalation paths

5. Implement Compensating Controls

For systems lacking EDR:

  • File integrity monitoring (FIM)
  • Network segmentation
  • Strict access controls

6. Strengthen MSP Security

  • Verify supply chain security posture
  • Monitor third-party access
  • Require strong authentication policies

Industry Context

VerdantBamboo’s campaign reflects a broader shift in nation-state cyber operations:

  • Moving beyond endpoints to target network infrastructure
  • Leveraging living-off-the-network techniques
  • Exploiting trust relationships in managed service ecosystems

Similar trends have been observed in:

  • Firewall-targeting malware campaigns
  • Supply chain attacks leveraging MSP access
  • Cloud infrastructure abuse for stealth communications

The increasing use of Golang malware and modular RATs also highlights a shift toward portable, cross-platform attack capabilities.

Conclusion

The VerdantBamboo campaign underscores a critical reality in modern cybersecurity: attackers are no longer just targeting endpoints—they are embedding themselves within the very infrastructure that organizations rely on for security.

With advanced malware like BRICKSTORM and multi-layered persistence techniques, detection becomes significantly more challenging.

To defend against such threats, organizations must expand visibility beyond traditional systems and treat every edge device as a potential entry point.

FAQ SECTION

1. Who is VerdantBamboo?

VerdantBamboo is a Chinese state-linked APT group also tracked as WARP PANDA and UNC5221, known for stealthy long-term intrusions.

2. What is BRICKSTORM malware?

It is a modular Golang-based remote access trojan used to control compromised Linux and FreeBSD systems.

3. Which systems were targeted?

Firewalls (pfSense), storage appliances (Egnyte), NAS devices (Synology), and MSP infrastructure were targeted.

4. How long did the attackers remain undetected?

They maintained access to victim environments for approximately 18 months.

5. How can organizations defend against such attacks?

By securing edge devices, enforcing MFA, patching vulnerabilities, monitoring traffic, and auditing privileged access.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *