BRICKSTORM Malware Strikes vSphere: Attackers Exploit Security Gaps in Virtualization Layer

Urgent — A sophisticated malware campaign known as BRICKSTORM is actively targeting VMware vSphere environments, exploiting weak security architecture rather than software vulnerabilities, according to recent findings from Google Threat Intelligence Group (GTIG). The attack chain compromises vCenter Server Appliance (VCSA) and ESXi hypervisors, granting attackers persistent administrative control below the guest operating system where traditional endpoint defenses cannot operate.

“These intrusions rely on the effectiveness of exploiting weak security architecture and identity design, not on product vulnerabilities,” said Stuart Carrera, a security researcher at Mandiant. “By operating within unmonitored areas, attackers can establish long-term persistence and gain administrative control over the entire vSphere environment.”

Background

BRICKSTORM was first identified by GTIG during an investigation into attacks on virtualized infrastructure. The malware targets the control plane of VMware vSphere, specifically the VCSA running on Photon Linux and the ESXi hypervisor. Because these systems host Tier-0 workloads such as domain controllers and privileged access management solutions, a compromise cascades across entire networks. The attackers gain visibility and control beneath the guest operating system, evading endpoint detection and response (EDR) agents that cannot be installed on the hypervisor or vCenter appliance.

The campaign does not exploit zero-day vulnerabilities. Instead, it takes advantage of weak security configurations, poor identity management, and a historical lack of security focus on the virtualization layer. “The virtualization control plane has less security attention than traditional endpoints, creating a significant visibility gap,” Carrera added. “Attackers exploit this gap to move laterally and maintain persistence for months.”

Attack Chain and Impact

According to the research, the BRICKSTORM attack chain involves initial compromise through stolen credentials or weak identity design, followed by escalation to administrator privileges on vCenter. Once inside, attackers deploy backdoors and modify configurations to persist even after reboots. From vCenter, they can manage every ESXi host and virtual machine, rendering traditional organizational tiering irrelevant. “A compromise of the vCenter control plane grants an attacker administrative control over every managed ESXi host and virtual machine,” Carrera explained.

The VCSA, as the central point of trust for vSphere, inherits the same risk classification as the critical workloads it hosts. Because it runs a purpose-built Photon Linux OS, default configurations are rarely sufficient for Tier-0 security. Organizations must adopt custom hardening measures at both the vSphere and OS layers.

What This Means

For defenders, the BRICKSTORM campaign underscores that virtualization infrastructure must be treated as a Tier-0 asset with corresponding security controls. “Relying on out-of-the-box defaults is often insufficient; achieving a Tier-0 security standard requires intentional, custom security configurations,” Carrera said. “The virtualization layer can no longer be an afterthought.”

To help organizations automate hardening, Mandiant has released a vCenter Hardening Script that enforces security configurations directly on the Photon Linux layer. The script addresses common weaknesses exploited by BRICKSTORM, including weak identity management and lack of host-based configuration enforcement. “By implementing these recommendations, organizations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats,” Carrera noted.

Security experts urge immediate review of vCenter access controls, multi-factor authentication, and logging for hypervisor-level events. Given that BRICKSTORM operates below guest OS visibility, traditional EDR tools will not detect the intrusion. “Visibility into the control plane is critical,” Carrera emphasized. “Without it, attackers can move freely and remain undetected.”

Recommendations for Immediate Action

• Harden vCenter and ESXi using Mandiant’s vCenter Hardening Script or equivalent controls.
• Enforce least-privilege identity design for all vSphere administrators.
• Enable comprehensive audit logging on vCenter and ESXi hosts.
• Monitor for unusual administrative actions that deviate from baseline behavior.
• Treat the entire virtualization stack as Tier-0 with same security rigor as domain controllers.

Organizations should also review GTIG’s full BRICKSTORM report for threat indicators and detection guidance. The shift to infrastructure-centric defense is no longer optional — it is essential to prevent attacks that target the foundation of enterprise IT.