as seen at tenable.com
CISA has identified a China-backed BRICKSTORM malware campaign targeting the IT and government sectors. Meanwhile, global agencies released a guide for adding AI safely to OT. Plus, proving your online content is legit; fighting cyber fraud; and preventing bank account takeover scams.
Key takeaways
- Amidst a surge in financial account takeover fraud costing victims millions, the World Economic Forum is calling for a systemic defense approach that shifts the security burden from end-users to infrastructure providers and policy makers.
- CISA warns that Chinese state-sponsored actors are deploying the highly evasive BRICKSTORM malware to infiltrate IT and government networks for data theft and potential sabotage.
- International cyber agencies released a joint guide for critical infrastructure operators that outlines principles for securely integrating artificial intelligence into operational technology environments.
1 – Nation-state actors deploy BRICKSTORM to steal info from IT, government orgs
IT organizations and government services outfits, listen up: Attackers acting on behalf of China’s government are targeting your sectors by leveraging the BRICKSTORM malware to infiltrate networks, linger stealthily, harvest data, and possibly inflict further damage.
“BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command and control,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned this week.
BRICKSTORM functions as a highly advanced backdoor designed for both VMware vSphere and Windows environments. Its primary purpose is to maintain stealthy access while facilitating command and control (C2) operations.
“These state-sponsored actors are not just infiltrating networks – they are embedding themselves to enable long-term access, disruption, and potential sabotage,” CISA Acting Director Madhu Gottumukkala said in a statement.
The malware employs complex evasion techniques, including multiple layers of encryption and DNS-over-HTTPS (DoH) to conceal its communications. Additionally, it features a SOCKS proxy to aid in lateral movement and tunneling, as well as self-monitoring capabilities that automatically reinstall or restart the malware if it is disrupted.
In observed compromises, initial access vectors vary. In one instance, actors compromised a web server within a demilitarized zone (DMZ), moved laterally to an internal VMware vCenter server, and subsequently deployed BRICKSTORM.
Once established, the attackers leverage this access to harvest legitimate credentials, often by performing system backups or targeting Active Directory databases. They also target VMware platforms to steal virtual machine snapshots for further credential extraction or to create hidden “rogue” VMs to evade detection.
To mitigate this threat, CISA recommends that network defenders:
- Actively hunt for signs of intrusion using specific YARA and Sigma rules detailed in the associated BRICKSTORM Malware Analysis Report
- Block unauthorized DoH traffic
- Maintain a strict inventory of network edge devices
- Enforce robust network segmentation to restrict traffic between the DMZ and internal networks
2 – Adding AI to OT environments securely
Here’s one for critical infrastructure organizations looking to use artificial intelligence (AI) technology safely to improve their operations.
Cyber agencies from multiple countries this week published a guide for securely integrating AI into operational technology (OT) environments.
“Despite the many benefits, integrating AI into operational technology (OT) environments that manage essential public services also introduces significant risks,”
The playbook, titled “Principles for the Secure Integration of Artificial Intelligence in Operational Technology” focuses on four key principles:
- Educate the workforce: Train all personnel – from OT engineers to senior leadership – on AI functionality, unique security risks, and secure development standards.
- Assess the need: Conduct rigorous risk-benefit analyses, integrating AI only when the operational value clearly outweighs data security and integration risks.
- Adopt governance: Implement frameworks for continuous assurance and regulatory compliance, including ongoing testing to detect model drift or data poisoning.
- Embed safety by design: Build oversight into the system architecture, ensuring fail-safe mechanisms exist to revert to a safe state if the AI is compromised.
“By adhering to these principles and continuously monitoring, validating, and refining AI models, critical infrastructure owners and operators can achieve a balanced integration of AI into the OT environments that control vital public services,” reads the guide, co-authored by cyber agencies from Australia, Canada, Germany, the Netherlands, New Zealand, the U.S. and the U.K.
About the Author
