Breaking: BRICKSTORM Malware Exploiting vSphere Weaknesses — No Patch Available
Threat actors are actively targeting VMware vSphere ecosystems using a new attack campaign dubbed BRICKSTORM, according to research from Google Threat Intelligence Group (GTIG). The malware establishes persistence at the virtualization layer, bypassing traditional endpoint security tools such as EDR agents.
“Attackers are not exploiting a software vulnerability; they are capitalizing on weak security architecture and a lack of visibility in the virtualization control plane,” said Stuart Carrera, a Mandiant security expert. “Organizations must treat vCenter Server Appliance and ESXi as Tier-0 assets and harden them accordingly.”
Background: How BRICKSTORM Works
BRICKSTORM specifically targets the vCenter Server Appliance (VCSA) and ESXi hypervisors, gaining administrative control over the entire vSphere environment. Once inside, attackers operate beneath the guest operating system, where standard security monitoring is ineffective.
The campaign relies on exploiting weak identity design, lack of host-based configuration enforcement, and limited visibility within the virtualization layer. No product vulnerability is involved — instead, attackers take advantage of default configurations and unmonitored access points.
Immediate Risk to Critical Infrastructure
The VCSA often hosts Tier-0 workloads such as domain controllers and privileged access management solutions. A compromise grants attackers full control over every managed ESXi host and virtual machine, rendering traditional security tiering useless.
“Because the VCSA is a purpose-built appliance, out-of-the-box defaults are insufficient,” Carrera added. “Achieving a Tier-0 security standard requires intentional custom configurations at both the vSphere and Photon Linux layers.”
What This Means for Defenders
Organizations must immediately implement hardening strategies to secure the virtualization control plane. Mandiant has released a vCenter Hardening Script that enforces security configurations directly at the Photon Linux layer, helping automate many of the recommended mitigations.
Key actions include: enabling strict access controls, monitoring for unusual administrative behavior, and configuring the VCSA as a Tier-0 asset with dedicated security monitoring. “By implementing these recommendations, organizations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats,” Carrera said.
The BRICKSTORM campaign underscores a critical shift in threat actor tactics. Defenders must now extend their security focus beyond guest operating systems to include the hypervisor and management appliances. Traditional endpoint protection is no longer sufficient when attackers operate below the OS.