Securing vSphere Against BRICKSTORM: Key Questions and Answers for Defenders

This guide addresses critical questions about the BRICKSTORM malware campaign targeting VMware vSphere environments. Based on research from Google Threat Intelligence Group (GTIG), these attacks exploit weak security design in virtualized control planes, particularly the vCenter Server Appliance (VCSA) and ESXi hypervisors. Unlike traditional vulnerabilities, BRICKSTORM leverages visibility gaps and poor identity architecture to establish persistent access at the virtualization layer. Below, we explore the most pressing defender concerns and provide actionable hardening strategies, including automated controls via Mandiant's vCenter Hardening Script.

What is BRICKSTORM malware and how does it target vSphere?

BRICKSTORM is a threat activity observed by Google TAG that targets the VMware vSphere ecosystem, specifically vCenter Server Appliance (VCSA) and ESXi hosts. Attackers do not exploit product vulnerabilities; instead, they abuse weak security design—such as default credentials, missing host-based configurations, and insufficient monitoring—to gain administrative control. By operating at the virtualization layer, they bypass guest OS defenses (e.g., EDR agents) and establish long-term persistence. The attack chain involves compromising the vCenter control plane, then moving laterally to ESXi hosts, enabling complete control over virtual machines and Tier-0 workloads like domain controllers.

Securing vSphere Against BRICKSTORM: Key Questions and Answers for Defenders — Source: www.mandiant.com

Why is the vCenter Server Appliance a prime target for attackers?

The VCSA is the central trust anchor for any vSphere infrastructure. It manages all ESXi hosts and VMs, often hosting Tier-0 assets such as domain controllers and privileged access management systems. A compromise at this level renders traditional security tiering irrelevant—an attacker gains admin credentials to every managed component. The VCSA runs on a specialized Photon Linux OS, and out-of-the-box defaults are rarely sufficient for high-security environments. Without intentional hardening at both the vSphere and OS layers, it becomes a single point of failure. Threat actors like BRICKSTORM specifically target this visibility gap because standard endpoint protections don't cover the control plane.

How do attackers achieve persistence at the virtualization layer?

BRICKSTORM operators establish persistence by exploiting weak identity design and a lack of host-based enforcement. They may deploy malicious services or scripts on the VCSA Photon OS, modify vCenter databases, or tamper with ESXi host boot configurations. Because these actions occur below the guest OS, traditional EDR software installed on VMs cannot detect them. Attackers also leverage default or stolen administrative accounts (e.g., the vpxuser account) to maintain access even if guest OSes are cleaned. The environment lacks native audit logging for control plane changes, further masking their activity. Effective defense requires deploying custom security monitoring at the Photon OS level (e.g., file integrity checks, SELinux policies) and rotating all credentials post-incident.

What are the essential hardening strategies against BRICKSTORM?

A robust defense requires multiple layers:

Harden the VCSA Photon OS: Disable unnecessary services, apply CIS benchmarks, and enforce strict SSH access controls (e.g., key-based auth, disable root login).
Implement identity controls: Use vCenter Single Sign-On with multi-factor authentication, regularly rotate service account passwords, and restrict administrative privileges using role-based access.
Enable comprehensive logging: Forward vCenter and ESXi audit logs to a SIEM; enable Syslog for Photon OS events.
Deploy Mandiant's vCenter Hardening Script: This automated tool enforces security configurations directly at the Linux layer, closing common visibility gaps.
Segment management networks: Isolate vSphere management traffic from production networks and apply strict firewall rules.

These measures transform the virtualization layer from a blind spot into a hardened detection surface.

How does Mandiant's vCenter Hardening Script help?

Mandiant released the vCenter Hardening Script to address the specific risks highlighted by BRICKSTORM. The script operates at the Photon Linux OS level of the VCSA, applying configurations that are often missed by default vSphere hardening. It automates tasks such as: disabling unused kernel modules, enforcing file integrity monitoring (via AIDE), configuring SELinux policies, and hardening SSH and PAM settings. By running this script regularly, organizations close the persistent access points that attackers exploit. It complements existing vSphere security measures by focusing on the underlying operating system—a layer where defenders typically have less visibility. The script is available as open-source and can be integrated into CI/CD pipelines for continuous compliance.

How can defenders detect BRICKSTORM activity in their environment?

Detection requires monitoring both vSphere and Photon OS events. Look for signs like:

Unexpected vCenter service restarts or modifications to startup scripts in /etc/init.d/
Unusual account activity (e.g., logins from unknown IPs or non-standard times, especially for the administrator@vsphere.local account)
Altered ESXi boot configurations (check /boot/grub/grub.cfg)
New scheduled tasks in VCSA (use crontab -l and audit changes)
Changes to vCenter database (e.g., via vpxd logs)

Enable logging for all vCenter operations (API calls, CLI actions) and forward them to a SIEM. Baseline normal behavior for VCSA processes like vpxd and vmware-vmon. Mandiant’s script also includes a reporting module for compliance checks.

Why is vSphere considered Tier-0 and how does this affect security posture?

vSphere infrastructure, especially the VCSA, is classified as Tier-0 because it hosts or controls access to the most critical IT assets: domain controllers, identity management, and certificate authorities. A compromise at this level cascades downward—attackers can take over all guest VMs, including production databases and application servers. This means vSphere must be hardened to the same level as a root CA or AD forest. Traditional tiering models (Tier-0,1,2) assume isolation, but vCenter’s administrative scope blurs those boundaries. Therefore, defenders must enforce strict access controls for the virtualization plane, treat VCSA credentials as highly sensitive, and implement separate admin workstations (PAWs) for vSphere management. The BRICKSTORM campaign demonstrates that attackers target this tier precisely because it offers the greatest leverage with the least oversight.