Cybersecurity agencies are warning organizations about BRICKSTORM, a stealthy malware designed to evade detection and maintain persistent access to systems. For small and mid-sized businesses, understanding how this threat works is essential to protecting virtual environments and IT supply chains.
What is BRICKSTORM malware?
BRICKSTORM is a sophisticated backdoor malware used by state-sponsored threat actors. It’s designed for stealth and persistence, often hiding in normal network traffic using encrypted protocols like DNS-over-HTTPS and HTTPS. Once inside, it can reinstall itself if removed and maintain long-term access.
Who is behind BRICKSTORM and what are they targeting?
The malware has been linked to actors associated with the People’s Republic of China. Their primary targets include critical infrastructure and organizations using VMware vSphere environments (vCenter and ESXi) and Windows servers. However, any business running virtualized systems or relying on managed service providers (MSPs) could be at risk.
Why should small and medium businesses (SMBs) care?
Even if you’re not a government agency, BRICKSTORM poses a real threat because:
- Many SMBs use VMware or Windows environments.
- Attackers often infiltrate through service providers or outsourced IT partners.
- The malware can steal credentials, cryptographic keys, and VM snapshots—giving attackers deep access to your systems.
Common Myths About BRICKSTORM Malware (and the Truth Behind Them)
Myth 1: BRICKSTORM only targets governments and critical infrastructure.
Truth: While BRICKSTORM has been linked to state-sponsored actors targeting critical infrastructure, small and mid-sized businesses are also at risk—especially those using VMware, Windows servers, or managed service providers.
Myth 2: If nothing looks wrong, our systems are probably clean.
Truth: BRICKSTORM is designed for stealth and persistence. It hides in encrypted traffic like DNS-over-HTTPS and HTTPS, allowing it to remain undetected for months or even years while maintaining access to systems.
Myth 3: Standard antivirus tools will catch threats like BRICKSTORM.
Truth: BRICKSTORM blends into legitimate network traffic and can reinstall itself if removed. Without advanced monitoring, segmentation, and threat detection, traditional tools may never spot it.
How does BRICKSTORM spread and stay hidden?
BRICKSTORM uses encrypted channels and legitimate-looking traffic to avoid detection. It can pivot inside networks, compromise Active Directory, and persist for months or even years without being noticed.
What steps should SMBs take to protect themselves?
- Scan for Indicators of Compromise (IOCs): Use the YARA and Sigma rules provided by CISA and NSA.
- Patch and update VMware and Windows systems: Especially vCenter and ESXi servers.
- Segment your network: Isolate DMZ elements and critical systems.
- Monitor for unusual DNS-over-HTTPS traffic: This can hide malicious activity.
- Review access logs and credentials: Look for signs of lateral movement.
- Apply CISA’s Cybersecurity Performance Goals: Strengthen your security posture.
- Have an incident response plan: Report any suspicious activity to CISA or your MSP immediately.
Without a managed process, ignoring updates becomes the norm.
BRICKSTORM is not just a government problem—it’s a business problem.
How can an MSP help?
MSPs can:
- Perform proactive vulnerability scans.
- Implement network segmentation and monitoring.
- Deploy advanced threat detection tools.
- Provide 24/7 incident response and remediation.
- Monitoring for failed updates
Bottom Line: BRICKSTORM is not just a government problem—it’s a business problem. SMBs need to act now to secure their environments and supply chains.
Concerned About Stealthy Malware Like BRICKSTORM? Let’s Get Started
In-Touch IT helps small and mid-sized businesses reduce exposure to stealthy threats like BRICKSTORM by strengthening VMware and Windows security, monitoring for suspicious encrypted traffic, and improving segmentation to limit lateral movement. Our proactive approach supports faster detection, better containment, and a clearer incident response path—so hidden access doesn’t turn into long-term business risk.
Call us at (877) 346-8682 or fill out the contact form online to review your environment, assess your risk, and strengthen your cybersecurity posture.
Call us at (877) 346-8682 or fill out the contact form online to review your environment, assess your risk, and strengthen your cybersecurity posture.
