Overview
A new threat campaign dubbed BRICKSTORM is directly targeting VMware vSphere environments, focusing on vCenter Server Appliances (VCSA) and ESXi hypervisors. According to research from Google Threat Intelligence Group (GTIG) and Mandiant, attackers are exploiting weak security architecture and identity design to achieve persistence at the virtualization layer — below the guest operating system where traditional security tools are blind.
“This is not about software vulnerabilities; it’s about attackers leveraging default configurations and limited visibility in the control plane,” said Stuart Carrera, a senior security researcher at Mandiant. “Once they own vCenter, they own every virtual machine.”
Background: How BRICKSTORM Works
The attack chain begins with compromised credentials or weak vSphere permissions, allowing threat actors to gain a foothold. They then move laterally to the VCSA, which runs on a specialized Photon Linux OS and often hosts Tier-0 workloads like domain controllers or privileged access management (PAM) solutions.
By establishing persistence at the virtualization layer, BRICKSTORM operates undetected by endpoint detection and response (EDR) agents that cannot monitor the ESXi or vCenter control plane. “This creates a significant visibility gap that attackers are eager to exploit,” Carrera added. The intrusion does not rely on unpatched vulnerabilities but on the lack of host-based configuration enforcement and monitoring within the virtualization stack.
Official Response and Hardening Guidance
Mandiant has released a vCenter Hardening Script that enforces security configurations directly at the Photon Linux layer. The script automates many of the recommendations detailed in a new defensive guide, which outlines how to treat vSphere infrastructure as Tier-0 assets requiring custom security baselines beyond default settings.
“Out-of-the-box vCenter defaults are insufficient for production environments that face persistent threats like BRICKSTORM,” the guide states. Organizations must implement intentional hardening at both the vSphere and underlying OS layers to achieve a Tier-0 security standard.
What This Means for Organizations
The compromise of vCenter grants an attacker full administrative control over every managed ESXi host and virtual machine, rendering traditional network tiering irrelevant. Experts warn that without proper hardening, any virtualization environment becomes a prime target for sophisticated threat actors.
“You need to secure the control plane as if it were your most sensitive server—because it is,” Carrera emphasized. Organizations should prioritize the following actions:
- Use the Mandiant vCenter Hardening Script to close configuration gaps.
- Implement multi-factor authentication and strict access controls for vSphere administration.
- Enable logging and monitor the Photon Linux OS underlying VCSA.
- Treat the virtualization layer as a separate, tightly monitored trust boundary.
The full defensive guide provides a framework for transforming the virtualization layer into a hardened environment capable of detecting and blocking threats like BRICKSTORM. Immediate adoption of these measures is recommended to close the visibility gap attackers are exploiting.
— Reporting by Security & Response Desk