Executive summary
Since at least early 2025, a suspected China-nexus cluster, tracked as UNC5221, has deployed the BRICKSTORM backdoor using the vulnerabilities CVE-2023-46805 and CVE-2024-21887 to establish long-term, stealthy access to high-value targets, notably legal services, SaaS providers, BPOs, and technology firms. The actor preferentially targets edge appliances and other Internet-facing infrastructure that often lack traditional EDR, enabling persistence, data collection, and pivoting into downstream customer environments.
Background on BRICKSTORM & UNC5221
BRICKSTORM began as a Linux-focused espionage backdoor family and has since been observed in additional builds/variants that expand capabilities and platform coverage. The tooling is modular and uses application-layer C2 channels, notably WebSockets and DNS-over-HTTPS techniques, to blend with legitimate traffic and avoid signature-based detection. Multiple vendor write-ups and incident responses tie BRICKSTORM activity to UNC5221 based on overlapping TTPs, telemetry, and infrastructure.
Vulnerability details
| CVE-ID | CVSS Score & Severity | Vulnerability Type | Affected Firmware / Products | EPSS Score |
|---|---|---|---|---|
| CVE-2023-46805 | 8.2 (High) | Authentication bypass | Ivanti Connect Secure / Policy Secure (9.x, 22.x) | 94.38 % |
| CVE-2024-21887 | 9.1 (Critical) | Command injection | Ivanti Connect Secure / Policy Secure (9.x, 22.x) | 94.42 % |
Infection & deployment vectors
- Initial access: exploitation of Internet-facing appliance vulnerabilities (see Vulnerability details). Operators also use credential stuffing, weak management interface exposures and weaponized updates/trojanized components in a smaller number of cases.
- Loader/implant: compact in-memory droppers, shell-script droppers that stage payloads into running web processes, and filesystem implants configured as services/daemons when persistence is needed.
- C2 communication: WebSockets, DoH, and other application-layer channels that mimic normal TLS traffic.
Capabilities & behaviors
- File operations (list/upload/download/create/delete) for targeted data collection.
- Remote command execution / interactive shells.
- Proxying/tunneling (SOCKS/HTTP) to access downstream networks and customers.
- Process injection and SSL/TLS hooking (passive execution via SSL_read).
Techniques and Tactics
| Tactic | Technique (MITRE link) | Description |
|---|---|---|
| Initial Access | T1190 | Exploit a weakness in an Internet-facing host or service to gain access. |
| Persistence | T1547 | Configure services/autorun mechanisms so malware survives reboots. |
| Persistence | T1053 | Use OS schedulers (cron, at, systemd timers, Windows Task Scheduler) to run payloads. |
| Command & Control | T1071.001 | Use common web protocols to blend C2 traffic with normal application traffic. |
| Lateral Movement | T1090 | Relay or proxy traffic to hide the true source and reach internal networks. |
| Collection | T1119 | Use scripted or built-in tooling to gather files/data for staging/exfiltration. |
Indicators of Compromise
- Network telemetry: long-lived TLS/WebSocket sessions from appliances to uncommon endpoints; multiple DoH resolver queries from a single appliance; unusual client TLS certificates presented to proxies or appliances.
- Host artefacts: unexpected
/tmpdroppers (e.g.,/tmp/.i,/tmp/.r), modified web service processes, altered integrity checker tool outputs (ICT), suspicious core dumps, or cleared logs.
Impact
- Successful exploitation allows attackers to bypass authentication and gain unauthorized access to restricted resources on the network.
- Chaining the two vulnerabilities enables unauthenticated remote attackers to execute arbitrary commands and achieve full control over the compromised Ivanti appliance.
- Attackers can deploy persistent backdoors and webshells, ensuring long-term access to the internal network for espionage and data theft.
- The compromise of the security gateway can serve as a launchpad for lateral movement, allowing threat actors to escalate privileges and access sensitive internal systems.
Threat Actor Attribution
The flaw, CVE-2023-46805, is particularly dangerous because it has been widely exploited by various threat actors, often chained with other vulnerabilities for greater impact. Beyond its initial use by a suspected Chinese nation-state actor tracked as UTA0178, other espionage-focused groups have also leveraged this vulnerability to gain initial access into target networks for data theft and surveillance operations.
Attackers have chained CVE-2023-46805 with CVE-2024-21887 to achieve unauthenticated remote code execution, enabling them to run arbitrary commands and take full control of the appliance. The widespread exploitation of this vulnerability has not been limited to a single group; various advanced persistent threat (APT) actors have adopted it to deploy a range of custom malware, including webshells like LIGHTWIRE and GIFTEDVISITOR, credential harvesters, and passive backdoors to ensure long-term access and facilitate lateral movement within compromised enterprise networks.
Mitigation steps
- Patch immediately: apply vendor patches for affected appliances.
- Egress control & segmentation: restrict appliance egress, require proxying for management traffic, and firewall management interfaces off the public Internet.
- Forensics & containment: if compromise suspected, preserve memory and
/tmpartifacts, collect running process maps and ICT statedump files, then prefer reimaging appliances rather than in-place cleanup where feasible. - Credential hygiene: rotate management credentials, enable MFA on all management portals, and audit accounts that can reach downstream customers.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.