Listen to this Post
Introduction:
China-linked threat actor VerdantBamboo (also tracked as UNC5221, WARP PANDA, and Clay Typhoon) orchestrated a stealthy espionage campaign lasting at least 18 months by targeting network edge devices that typically lack endpoint detection and response (EDR) coverage. The attackers compromised an Egnyte Storage Sync appliance, a pfSense firewall, and a Synology NAS, using a sophisticated trio of malware—BRICKSTORM, PLENET, and AGENTPSD—to maintain persistent access, evade Conditional Access policies, and pivot into the victim’s Microsoft 365 environment.
Learning Objectives:
– Understand how APT groups exploit misconfigured Linux appliances and EDR-blind spots to achieve long-term persistence.
– Learn to detect, analyze, and mitigate BRICKSTORM (Go/Rust), PLENET (.NET Core WebSocket), and AGENTPSD (Python reverse shell) implants.
– Implement defensive commands, logging configurations, and YARA rules for Linux, FreeBSD/pfSense, and Synology DSM environments.
You Should Know:
1. BRICKSTORM: The Core Backdoor Exploiting Sudo Misconfigurations on Egnyte Storage Sync
The initial breach vector was an Egnyte Storage Sync virtual machine, where attackers discovered an unintended local privilege escalation vulnerability within the device’s sudo configuration. An unprivileged “egnyteservice” account could run specific commands with root privileges, allowing the threat actor to write the BRICKSTORM payload to arbitrary system directories (such as /usr/sbin/) and schedule it for execution. BRICKSTORM is a cross-platform backdoor written primarily in Golang, with later variants compiled in Rust and capable of running on Linux, BSD, ESXi, and Windows. It provides remote command execution, SOCKS5 proxying, filesystem browsing via a web interface, and traffic tunneling.
Step-by-Step Mitigation for Linux Sudo Misconfigurations:
– Audit Sudo Privileges: On any Linux appliance (including Egnyte, custom Ubuntu/CentOS servers), run:
sudo -l -U egnyteservice
or for all users:
grep -r '^[^]' /etc/sudoers /etc/sudoers.d/ 2>/dev/null
– Verify Suspicious Processes and Scheduled Tasks: Check for BRICKSTORM indicators (processes masquerading as system services, unusual outbound connections to Cloudflare IPs):
ss -tunap | grep -E 'Cloudflare|192.3.30.159|5.223.58.4' crontab -l; ls -la /etc/cron
– Detect BRICKSTORM Persistence: Look for modifications to system cron directories:
find /etc/cron -type f -exec grep -l '/usr/sbin/blocklist\|/usr/local/libexec/ipsec/' {} \;
2. PLENET (GRIMBOLT): .NET Core WebSocket Backdoor on Synology NAS
After remediation efforts, VerdantBamboo regained access using stolen firewall administrative credentials lacking multi-factor authentication, enabling web SSL VPN connectivity to deploy additional malware on a Synology NAS over SSH. PLENET (also tracked as GRIMBOLT) is a cross-platform backdoor developed in .NET Core and compiled using native ahead-of-time (AOT) compilation to hinder analysis. It communicates with command-and-control (C2) infrastructure over WebSocket connections, supporting interactive shell access, remote command execution, file manipulation, and dynamic C2 server switching.
Step-by-Step Hardening for Synology NAS and pfSense:
– Enable SSH Logging and Monitor for Anomalous Access: On Synology DSM, navigate to Control Panel → Terminal & SNMP → Enable SSH service, but restrict access using firewall rules. To monitor active SSH sessions:
cat /var/log/auth.log | grep "Accepted"
– Detect PLENET Persistence on Synology: Check for unauthorized .NET Core binaries and scheduled tasks:
ls -la /usr/syno/bin/ /var/packages/ crontab -l -u root
– Inspect pfSense Firewall for BRICKSTORM Variants: On FreeBSD-based pfSense, attackers deployed a BRICKSTORM implant named “blocklist” under the `/usr/local/libexec/ipsec/` directory and modified `/etc/rc.d/cron` to execute the implant automatically. Run:
grep -r "blocklist" /etc/rc.d/ /usr/local/etc/
3. AGENTPSD: Python-Based Fallback Reverse Shell for Persistence
AGENTPSD is a Python reverse shell packaged with PyInstaller, designed as a fallback persistence mechanism to survive disruption of the primary BRICKSTORM toolkit. Volexity’s forensic investigation revealed that AGENTPSD operated as a secondary implant, ensuring connectivity even after remediation attempts. This two-layer persistence strategy allowed VerdantBamboo to re-infiltrate the victim’s network within days of initial cleanup, using stolen credentials and VPN reconfiguration.
Step-by-Step Detection and Removal:
– Search for Packed Python Executables on Linux/BSD:
find / -type f -exec file {} \; | grep -E 'Python script|ELF.executable.Python' | grep -v '/proc/'
– Monitor Reverse Shell Connections: Look for outbound connections to unexpected IPs:
netstat -antp | grep ESTABLISHED | grep -v ':22\|:443\|:80'
– Block Indicator Domains and IPs: Add the following IoCs to firewall rules (C2 domains: `service.systemsvcs.com`; IPs: `192.3.30.159`, `5.223.58.4`).
4. MSP Supply Chain Compromise and Conditional Access Evasion
VerdantBamboo compromised the victim’s Managed Services Provider (MSP) first, infecting its pfSense firewall with a BSD variant of BRICKSTORM at least 18 months prior to detection. This supply chain vector allowed the threat actor to use stolen MSP credentials to access the primary victim’s Microsoft 365 environment, bypassing the organization’s own identity controls entirely. Once inside, the attackers leveraged BRICKSTORM’s proxying capabilities to blend malicious activity with legitimate network traffic, effectively evading Conditional Access policies that would have otherwise restricted unauthorized logins.
Step-by-Step Hardening for M365 Conditional Access:
– Enforce Multi-Factor Authentication (MFA) on All Admin Accounts:
Azure AD PowerShell: Require MFA for all cloud apps New-AzureADMSConditionalAccessPolicy -DisplayName "Require MFA for Admins" -State "enabled"
– Monitor for Anomalous Proxy Logins: Use Microsoft 365 unified audit log to detect logins from unexpected IPs or trusted appliances:
Search-UnifiedAuditLog -Operations "UserLoggedIn" -StartDate "09/01/2025" -ResultSize 5000 | Where-Object {$_.ClientIP -in @("192.3.30.159", "5.223.58.4")}
– Restrict Legacy Authentication and VPN Access: Disable web SSL VPN administrative interfaces from public exposure unless absolutely necessary, and enforce certificate-based authentication.
5. Live Forensics: YARA Rules and Memory Analysis for BRICKSTORM Variants
CISA and Mandiant have released YARA rules to detect BRICKSTORM across ESXi, Linux, and Windows environments. Given that newer variants are compiled with .NET Native AOT (PLENET) or rewritten in Rust (BRICKSTORM), defenders should focus on binary analysis and memory scanning rather than signature-based detection alone.
Step-by-Step YARA Scanning and Memory Acquisition:
– Run YARA Rules Against Suspicious Binaries:
yara64 -r brickstorm_rules.yar /usr/sbin/ /usr/local/bin/
– Capture Memory of Running Processes (Linux):
cat /proc/[bash]/maps > memory_map.txt gdb -p [bash] -batch -ex "dump memory mem.dump 0x[bash] 0x[bash]"
– FreeBSD/pfSense Memory Acquisition: Use the `memguard` utility or perform a live forensic triage:
strings /dev/mem | grep -E 'BRICKSTORM|PLENET|AGENTPSD'
What Undercode Say:
– EDR is not a silver bullet: VerdantBamboo deliberately targeted Linux-based network appliances (Egnyte, pfSense, Synology) that rarely host EDR agents, proving that perimeter devices must be included in threat-hunting scope.
– Supply chain attacks are the new norm: The MSP compromise enabled an 18-month dwell time and post-remediation re-infiltration. Organizations must enforce zero-trust principles, including mandatory MFA for all third-party access and continuous monitoring of VPN configurations.
Prediction:
– -1 Nation-state APTs will increasingly weaponize .NET Native AOT and Rust cross-platform compilers to build EDR-evading, architecture-agnostic implants, making binary analysis and signature detection obsolete within 12–18 months.
– +1 The public disclosure of BRICKSTORM, PLENET, and AGENTPSD IoCs will prompt rapid vendor patching (e.g., Egnyte Storage Sync version 13.13) and widespread adoption of EDR solutions for network appliances, though adoption gaps will remain for smaller MSPs.
– -1 The 18-month undetected access window highlights systemic failures in identity governance—Conditional Access policies remain vulnerable to proxy-based evasion unless organizations enforce continuous access evaluation and anomaly detection on trusted internal systems.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Mohit Hackernews](https://www.linkedin.com/posts/mohit-hackernews_linux-share-7469697433585786880-t0LJ/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
