Have you ever thought about how hackers can stay hidden in a system for months without detection? That's what UNC5221 is doing right now. They are a stealthy hacking group targeting certain U.S. legal, technology, SaaS, and business companies, where they are using malware called BRICKSTORM.
β’ Can execute commands on a host machine
β’ It can organize files
β’ Can be a network tunnel to move around internally
β’ Can run on Linux and BSD servers
It can even communicate with its command-and-control server via WebSockets to help it go undetected by regular security tools.
β’ Steal passwords with BRICKSTEAL
β’ Copy virtual servers for critical-related information
β’ Remain undetected with in-memory changes that do not require a server reboot to be enacted
Some versions of BRICKSTORM will wait months before contacting the hackers, making detection even harder.
What is BRICKSTORM?
BRICKSTORM differs from regular malware in that it:β’ Can execute commands on a host machine
β’ It can organize files
β’ Can be a network tunnel to move around internally
β’ Can run on Linux and BSD servers
It can even communicate with its command-and-control server via WebSockets to help it go undetected by regular security tools.
How UNC5221 Gets In
UNC5221 typically compromises Ivanti Connect Secure systems that they can identify aka drift detect weaknesses, to penetrate networks. Once inside, they are capable of:β’ Steal passwords with BRICKSTEAL
β’ Copy virtual servers for critical-related information
β’ Remain undetected with in-memory changes that do not require a server reboot to be enacted
Some versions of BRICKSTORM will wait months before contacting the hackers, making detection even harder.