CISA, in coordination with the NSA and Canada’s Cyber Security Centre, has identified threat actors deploying BrickStorm malware to compromise VMware vSphere servers, allowing attackers to maintain long-term unauthorized access while remaining undetected.

Affected Systems:

• VMware vSphere servers, including vCenter and ESXi.

• Windows servers on the same network (including domain controllers and other critical servers).

Security Risks

Infected systems may allow the BrickStorm malware to maintain persistent access, exfiltrate credentials and sensitive data, move laterally, and create hidden virtual machines, resulting in a high risk of prolonged network compromise.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends the following actions to users and system administrators:

• Upgrade VMware vSphere servers to the latest version.

• Harden VMware vSphere environments.

• Ensure proper network segmentation to restrict traffic from the DMZ to the internal network.

• Disable RDP and SMB access from the DMZ to the internal network.

For detailed additional information, Follow the official guidance from CISA, NSA, and Cyber Centre on BrickStorm Malware, and implement the recommended security measures to reduce the risk of intrusion, persistence, and data compromise.

• Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• PRC State-Sponsored Actors Use BrickStorm Malware Across Public Sector and IT Systems

• NSA Joins CISA to Release Guidance on Detecting BrickStorm Backdoor Activity

• CISA Warns of BrickStorm Malware Attacks on VMware Servers

• VMware Security Configuration and Hardening Guide