P1 · Virtualisation & Storage

VMware vSphere BRICKSTORM Malware — VCSA and ESXi Hypervisor Hardening and Defense

BRICKSTORM malware establishes persistence at the VMware vSphere virtualization layer (VCSA Photon Linux and ESXi hypervisors) beneath guest OS visibility, where traditional EDR agents cannot detect it. The intrusion exploits weak identity design, lack of host-based configuration enforcement, and absent monitoring within the virtualization control plane — not product vulnerabilities. Defenders must harden the VCSA Photon Linux layer using the Mandiant vCenter Hardening Script, enforce strict network segmentation, and implement compensating log-based monitoring to detect and remediate these attacks.

Indicators

Persistence mechanisms established at the virtualization layer (VCSA/ESXi) that are invisible to guest OS-level EDR agents
Unauthorized administrative access to the vSphere environment persisting beneath the guest operating system
Attacker activity within the VCSA Photon Linux layer not captured by standard endpoint monitoring
Long-term, low-visibility footholds in the virtualization control plane with admin-level control over the entire vSphere environment
Unexpected SSH sessions, unauthorized cron jobs, or unfamiliar systemd unit files on the VCSA
Anomalous authentication events or unusual API calls in VCSA and ESXi logs

Likely causes

Weak security architecture and identity design — overprivileged accounts, lack of MFA on vCenter management interfaces
Lack of host-based configuration enforcement on the VCSA Photon Linux operating system
Limited or absent visibility within the virtualization layer — no EDR agents supported, no syslog forwarding configured
Historically reduced security focus on virtualization control planes compared to traditional endpoints
VCSA inheriting the risk profile of critical Tier-0 workloads it hosts without equivalent protective controls

Diagnostic steps

Review the BRICKSTORM vSphere attack chain documentation from Google Threat Intelligence Group (GTIG) to understand the full kill chain from initial access through persistence on VCSA and ESXi, and map observed activity against each stage.

Establish which stages of the attack chain may have been traversed and identify potential indicators of compromise specific to the vSphere layer.
Audit vSphere identity and access design: enumerate all accounts with administrative access to vCenter SSO and ESXi using the vSphere Client, review role assignments under Administration > Access Control > Roles, and identify any accounts with broader privileges than required. Check Administration > Single Sign On > Identity Sources for unauthorized SSO identity sources.

Identify exploited weak identity design — the primary enabler of BRICKSTORM-style intrusions — and determine if unauthorized principals have been granted access to the control plane.
SSH to the VCSA and inspect the Photon Linux layer for persistence mechanisms: review running processes with `ps aux`, examine cron jobs with `crontab -l` and `ls -la /etc/cron.*`, inspect systemd unit files with `systemctl list-unit-files --type=service` and `ls -la /etc/systemd/system/`, and check startup scripts in `/etc/rc.local` and `/etc/init.d/`.

Detect persistence mechanisms established at the virtualization layer that are invisible to guest OS EDR agents, consistent with BRICKSTORM's documented persistence strategy.
Review VCSA and ESXi log files for anomalous activity: on VCSA examine `/var/log/vmware/vpxd/vpxd.log`, `/var/log/vmware/sso/`, and `/var/log/audit/audit.log`; on ESXi examine `/var/log/auth.log`, `/var/log/hostd.log`, and `/var/log/shell.log`. Verify logs are being forwarded to an external SIEM with `esxcli system syslog config get` on ESXi.

Assess the visibility gap within the virtualization layer and determine whether the attacker has already operated within the unmonitored control plane, and whether log integrity is intact.
Download and run the Mandiant vCenter Hardening Script against the VCSA in audit mode to compare current configuration state versus the hardened baseline. Review the script output to identify all deviations from recommended security configurations on the Photon Linux layer.

Determine the current security posture of the VCSA against the hardening benchmark and identify specific configuration gaps that expose the environment to BRICKSTORM-style attacks.

Resolution path

Take a VM snapshot of the VCSA or backup the appliance configuration via VAMI before making changes to enable rollback if hardening causes issues.
Deploy and execute the Mandiant vCenter Hardening Script against the VCSA to enforce security configurations directly at the Photon Linux layer, addressing configuration gaps that enable BRICKSTORM persistence.
Remediate weak identity design: in vSphere Client under Administration > Access Control, enforce least-privilege role assignments, remove unnecessary administrative accounts, and implement MFA for all vCenter and ESXi management access via identity provider integration.
Implement host-based configuration enforcement on the VCSA Photon Linux OS: restrict SSH access to authorized management hosts only, disable unused services with `systemctl disable <service>`, configure file integrity monitoring on critical system paths (/etc/systemd/, /etc/cron.d/, /etc/init.d/), and lock down local account access.
Close the visibility gap by configuring VCSA syslog forwarding via VAMI > Syslog Configuration and ESXi syslog forwarding via `esxcli system syslog config set --loghost=<SIEM-IP>:<port>`, then establish alerting rules in the SIEM for anomalous control-plane activity.
Segment the vSphere management network: configure firewall rules and network ACLs to restrict access to vCenter (TCP 443, 5480) and ESXi management interfaces (TCP 443, 22) to only authorized, dedicated management hosts.

Prevention

Enforce least-privilege identity design across all vSphere components: audit and restrict vCenter SSO roles quarterly, remove standing administrative access where possible, and require MFA for all management interfaces to prevent credential-based initial access.
Deploy the Mandiant vCenter Hardening Script proactively to enforce a security baseline on the VCSA Photon Linux layer before a compromise occurs, closing configuration gaps that attackers exploit to establish persistence.
Eliminate the visibility gap in the virtualization control plane by configuring persistent, tamper-resistant syslog forwarding from VCSA and ESXi to an external SIEM, and establish detection rules for anomalous control-plane activity (failed logins, new SSH sessions, unexpected API calls).
Isolate the vSphere management network using strict firewall rules and network ACLs so that only dedicated, hardened management hosts can reach vCenter and ESXi management interfaces, reducing the attack surface for initial access.
Classify and treat the VCSA and ESXi hypervisors at the same security tier as the most sensitive Tier-0 workloads they host (domain controllers, PAM solutions), applying equivalent change control, monitoring, and access restriction policies.

Tools

Mandiant vCenter Hardening Script — automates enforcement of security configurations directly at the VCSA Photon Linux layer
VMware vCenter Server Appliance Management Interface (VAMI) — appliance backup and configuration management
VMware ESXi DCUI (Direct Console User Interface) — out-of-band host management and recovery
SIEM / log aggregation platform — centralized collection of VCSA and ESXi syslog for visibility into the virtualization control plane
vSphere Client — identity and role auditing via Administration console
SSH client — direct access to VCSA Photon Linux shell for inspection

References

VMwarevSpherevCenterVCSAESXiBRICKSTORMmalwarepersistencehypervisorPhoton-LinuxMandianthardeningthreat-intelligenceGTIGvirtualization-securityTier-0identity-securityvisibility-gapEDR-bypassinfrastructure-defenseAPTcontrol-plane-security