Long-lived and near-silent malware lurking in systems for months can be detected by looking for signs of their presence in a historical stream of immutable backups.
Rubrik found evidence of long-lived Chinese nation-state level malware code in its immutable backups using updated threat intelligence
The company was alerted by Google Threat Intelligence (with Mandiant) to the details of BRICKSTORM, a stealth backdoor used by the UNC5221 China-nexus threat cluster. The Rubrik Zero Labs organization then tested Rubrik's backup system against UNC5221.
It noted that traditional EDR (End-point Detection and Response) systems often do not or cannot run on hardened appliances like VMware vCenter Server Appliances (VCSA), firewalls, VPNs, and other Linux/BSD-based network devices. A Zero Labs team blog says: "Sophisticated threat actors are deploying silent, elusive malware that bypasses EDR tools and hides dormant in backups or embedded deep within critical infrastructure."
UNC5221 uses a BRICKSTORM backdoor, and this evades such EDR systems by, for example, changing its filename to match a legitimate VCSA process (e.g., vami-httpd) and runs from a trusted directory, allowing it to execute undetected where EDR is set to trust system binaries implicitly. It uses SOCKS proxying and minimal network noise, generating network activity that blends structurally with normal VCSA traffic.
Once inside a system, BRICKSTORM can linger undetected for months, even longer than a year.
Rubrik's cyber-resilience software carries out daily scans of "over 2.3 million snapshots, looking for active and dormant threats -- not only within active environments, but also within immutable backup data." Its secured backups are immutable and the backup data repository is a reliable, historical record of the system state.
The scans are updated with new malware information and, Rubrik says, they can "confirm a compromise within EDR-blind appliances, isolate the malicious code, and establish the definitive breach timeline."
We're told that: "when BRICKSTORM indicators (like specific file hashes, YARA signatures, or suspicious file paths on a vCenter server) were found in a customer's backups, customer data analysis allowed for:
Rubrik says a 3-stage approach is needed:
It states: "This integration of active threat intelligence with immutable data defense represents a required evolution in cyber resiliency architecture."
Security professionals should use immutable backup scans to detect this kind of persistent, EDR-evading malware threat and then help customers recover from it and clean their systems.
There's an informative blog about UNC5221 here.
Bloomberg has just reported that US cyber-security provider F5 was breached by state-backed hackers from China who used BRICKSTORM malware to infiltrate its network for 12+ months and steal source code.
SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. A SOCKS proxy is an SSH tunnel down which specific applications forward their traffic to the server, and then on the server end, the proxy forwards the traffic out to the general Internet.