BRICKSTORM Malware Hits U.S. Tech, Law, and SaaS Firms - 1

Image by Boitumelo, from Unsplash

BRICKSTORM Malware Hits U.S. Tech, Law, and SaaS Firms

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Hackers are using BRICKSTORM malware to infiltrate U.S. companies, staying hidden for over a year, stealing sensitive emails and data.

In a rush? Here are the quick facts:

  • Hackers remained undetected in networks for over 393 days.
  • Targets include U.S. law firms, SaaS, outsourcing, and tech companies.
  • Malware hides in VMware servers and network appliances.

A stealthy cyber campaign called BRICKSTORM is targeting major U.S. industries, according to new research by Google’s Threat Intelligence Group (GTIG) and Mandiant Consulting. Since March 2024, the malware has targeted law firms, tech companies, Software-as-a-Service (SaaS) providers and business outsourcing firms.

Researchers say the backdoor is designed for long-term spying. “This, coupled with modifications to the BRICKSTORM backdoor, has enabled them to remain undetected in victim environments for 393 days, on average,” Google noted.

The attacks are linked to UNC5221, a hacking group suspected of ties to China. The group uses zero-day vulnerabilities, which are unpatched security flaws in software systems. BRICKSTORM operates as a hidden threat as it infiltrates devices that standard security software does not monitor, these include VMware servers and other network appliances.

One of the most concerning findings is the hackers’ ability to quietly steal sensitive emails. In many cases, they targeted developers, system administrators, and individuals connected to U.S. national security or trade issues.

GTIG explained that SaaS providers can give attackers the ability to reach their downstream customers. They can also attack tech companies stealing intellectual property and potentially new zero-day exploits.

To help organizations defend themselves, Mandiant has released a scanner tool that can detect signs of BRICKSTORM on Linux and BSD systems. The tool is available on Mandiant’s GitHub page .

Mandiant strongly advised companies to update their security practices, review how they protect critical servers, and adopt a “threat hunting” approach instead of relying only on old detection methods.

“Mandiant strongly encourages organizations to reevaluate their threat model for appliances and conduct hunt exercises for this highly evasive actor,” the team said.

The campaign demonstrates how attackers modify their tactics to bypass standard security measures, which the researchers argue it pushes businesses to take active measures for system protection.

Hackers Use Fake WordPress Plugin to Maintain Full Site Control - 2

Image by Souvik Banerjee, from Unsplash

Hackers Use Fake WordPress Plugin to Maintain Full Site Control

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Researchers have found hackers exploiting WordPress sites through concealed backdoors, gaining full control, even when site owners try to remove them.

In a rush? Here are the quick facts:

  • A fake plugin named DebugMaster Pro secretly created admin accounts.
  • The malware sent stolen login details to a hacker-controlled server.
  • Malicious scripts were injected into sites, also logging admin IP addresses.

A recent investigation by Sucuri found that two files with malicious content were disguised as normal WordPress system components. One was a fake plugin called “DebugMaster Pro” (./wp-content/plugins/DebugMaster/DebugMaster.php). The other pretended to be a core file (./wp-user.php).

Both were designed to make sure attackers always had an administrator account on the site. The DebugMaster file contained advanced code as it created a secret admin user account. DebugMaster also remained invisible to plugin lists while sending stolen login information to a remote server.

As the report explained: “This snippet forces WordPress to create a new user named help with the role of administrator. If the user already exists, the script ensures it has administrator privileges restored.”

The stolen details, including username and password, were encoded and sent to a hacker-controlled website. The malware performed harmful scripts on the website during its operation to locate the IP addresses of website administrators.

The wp-user.php file presented a straightforward yet concerning situation. The system maintained an admin account named “help” which used a fixed password. Even if a site owner deleted this account, the file would instantly recreate it.

The researchers explained that warning signs of this infection include strange files like ‘DebugMaster.php’ or ‘wp-user.php,’ new or hidden administrator accounts, and deleted accounts coming back.

The solution to this problem involves removing harmful files, and suspicious accounts. Users are also advised to reset all passwords and update WordPress, plugins, and check server logs for unusual connections.

Researchers said the two files “created a resilient foothold on the website,” meaning attackers could easily return unless the site was fully cleaned and secured.