Google Discovers China-Linked UNC5221's Long-Term Malware Operation
Google has uncovered a long-term malware operation by the China-linked UNC5221 group. The operation targeted key personnel at SaaS and outsourcing companies, aiming to steal intellectual property and gain unwanted infrastructure access.
The group exploited zero-day vulnerabilities to initiate attacks. They collected emails of key individuals using Microsoft Entra ID Enterprise Applications with or scopes. Once inside, they deployed a Go-based backdoor Trojan called BRICKSTORM, which functions as a SOCKS proxy and webserver, allowing stealthy access to systems and command execution.
BRICKSTORM malware primarily targets Linux and BSD-based appliances. Once deployed, it pivots to VMware systems, a favoured target of the UNC5221 group. The malware remained undetected in victims' systems for an average of 393 days.
Google's discovery highlights the need for robust cybersecurity measures. Adopting a TTP-based hunting approach can help detect such attacks, while stronger authentication protocols, such as multi-factor authentication, can prevent similar breaches in the future.
Read also:
- Sonatype Streamlines Cross-Platform App Installations with Docker and Chef
- Berlin Brandenburg Airport Struggles After Cyberattack Disrupts IT Systems
- Expanded Criticism of Human Rights Protections - Specialists Criticize Russia's Intensified Crackdown on Virtual Private Networks and Encrypted Applications
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
