Securing vSphere Against BRICKSTORM: Key Questions and Defensive Strategies

This Q&A guide builds on recent research from Google Threat Intelligence Group (GTIG) on the BRICKSTORM malware, which targets VMware vSphere environments. BRICKSTORM exploits weak security architecture and visibility gaps at the virtualization layer, gaining persistence beneath guest operating systems where traditional defenses fail. By understanding the risks to the vCenter Server Appliance (VCSA) and ESXi hypervisors, organizations can implement critical hardening strategies. Below, we address the most pressing questions about defending against this threat.

What is BRICKSTORM malware and how does it compromise vSphere?

BRICKSTORM is a sophisticated threat identified by Google Threat Intelligence Group that targets the VMware vSphere ecosystem, specifically vCenter Server Appliances (VCSA) and ESXi hypervisors. Rather than exploiting software vulnerabilities, BRICKSTORM takes advantage of weak security design, such as misconfigured identities, insufficient host-based controls, and limited monitoring within the virtualization layer. Once inside, attackers establish persistence below the guest operating system, giving them administrative control over all managed virtual machines and hosts. This allows them to move laterally, steal data, or deploy ransomware undetected. The attack chain—shown in the original research—demonstrates how BRICKSTORM can bypass traditional security by operating where EDR agents and antivirus cannot reach.

Securing vSphere Against BRICKSTORM: Key Questions and Defensive Strategies
Source: www.mandiant.com

Why is the vCenter Server Appliance (VCSA) such a high-value target?

The VCSA acts as the central management point for an entire vSphere infrastructure. It runs on a specialized Photon Linux operating system and often hosts Tier-0 workloads, such as domain controllers and privileged access management systems. Compromising the VCSA gives an attacker administrative keys to every ESXi host and virtual machine, effectively collapsing network segmentation and tiering. Because the VCSA is a purpose-built appliance, out-of-the-box configurations typically lack the security hardening needed for such a critical asset. Organizations must intentionally secure both the vSphere layer and the underlying Photon OS to achieve a Tier-0 security posture. Without these customizations, the VCSA remains an attractive and vulnerable target for threat actors like those behind BRICKSTORM.

What visibility gaps in virtualized environments does BRICKSTORM exploit?

Traditional security monitoring relies on agents deployed within guest operating systems. However, BRICKSTORM operates at the virtualization layer—the hypervisor and management plane—where these agents cannot function. This creates a significant visibility gap: security teams often have no insight into activities occurring on the ESXi hosts or VCSA itself. Furthermore, these control planes have historically received less security focus compared to endpoints, leading to under-monitored attack surfaces. BRICKSTORM leverages this blind spot to persist undetected, moving laterally between virtual machines without triggering alarms. Closing this gap requires infrastructure-centric defenses, such as dedicated logging and monitoring of vSphere components, combined with host-based configuration enforcement at the Photon Linux level.

How can organizations harden their vSphere control plane against BRICKSTORM?

Hardening the vSphere control plane involves multiple layers. First, implement strict identity and access controls for vCenter and ESXi, including multi-factor authentication for administrative accounts. Second, enforce host-based security configurations on the Photon Linux OS running VCSA: disable unnecessary services, apply restrictive firewall rules, and enable audit logging. Third, use network segmentation to isolate management interfaces and restrict access to trusted hosts only. Fourth, regularly review and tighten permissions for service accounts and system roles. Finally, deploy the Mandiant vCenter Hardening Script to automate many of these settings. By adopting a defense-in-depth approach targeting the virtualization layer, organizations can detect and block threats like BRICKSTORM before they gain persistent administrative control.

Securing vSphere Against BRICKSTORM: Key Questions and Defensive Strategies
Source: www.mandiant.com

What role does the Mandiant vCenter Hardening Script play in defense?

The Mandiant vCenter Hardening Script is a security automation tool designed to enforce recommended configurations directly on the Photon Linux operating system of the VCSA. It applies settings that harden the control plane against threats like BRICKSTORM, including auditing policies, firewall rules, service disabling, and secure defaults. By automating these changes, the script reduces the manual effort required to secure vSphere components and ensures consistent enforcement across environments. It addresses the key risk that out-of-the-box VCSA installations are insufficiently secured for Tier-0 roles. While the script is not a silver bullet—organizations must also manage identities and monitor logs—it closes critical gaps in the virtualization layer's security posture, making it much harder for attackers to establish undetected persistence.

Why are standard endpoint detection and response (EDR) tools ineffective at the virtualization layer?

EDR agents are designed to run within guest operating systems, monitoring processes, file systems, and network activity at the OS level. However, the virtualization layer—encompassing the hypervisor (ESXi) and management appliance (VCSA)—operates on a separate operating system (Photon Linux) that does not support standard EDR agents. These components have limited or no visibility from conventional endpoint tools, leaving a blind spot that BRICKSTORM exploits. Attackers can modify virtual machine memory, intercept Hypervisor calls, or compromise the VCSA without triggering any EDR alert. To detect such intrusions, organizations must deploy alternative monitoring solutions: for example, leveraging VMware’s built-in logging capabilities, configuring syslog forwarding, and using security tools that specialize in virtualization-layer inspection (e.g., vCenter audit logs, ESXi dump collection, or third-party hypervisor security platforms).

What are the first steps to secure vSphere after a BRICKSTORM attack is suspected?

If a BRICKSTORM intrusion is suspected, immediate actions include: isolating the compromised VCSA or ESXi host from the network to prevent lateral movement; capturing forensic snapshots of virtual machine memory and disk; reviewing vCenter logs for unauthorized access or configuration changes; and rotating all credentials used for vSphere management, including service account passwords and SSO tokens. Next, conduct a full assessment of host-based configurations using the Mandiant hardening script to identify deviations from secure baselines. Engage incident response experts who specialize in virtualization forensics, as standard EDR tools will lack coverage. Finally, rebuild compromised hosts from known-good images after thoroughly verifying no persistence mechanisms remain in the hypervisor layer. Post-remediation, implement the hardening measures described in this guide to prevent recurrence.

Tags:

Recommended

Discover More

Mastering Transparency in Agentic AI: A Practical Guide to the Decision Node AuditSwift 6.3 Ships with Unified Build System Across Platforms7 Essential Takeaways from the $21M Share the American Dream Philanthropic PledgeBRICKSTORM Malware Targets VMware vSphere: Urgent Hardening Guide for DefendersModernizing UX in Legacy Systems: Strategies for Success