CTI Swarm
Zurück zu allen Deep Dives
THREAT INTELLIGENCE

vSphere and BRICKSTORM Malware: A Defender's Guide

Strategische Zusammenfassung

BRICKSTORM-Malware nutzt vCenter zur Persistence via lokale Konten und Backdoors; Multi-Faktor-Authentifizierung und Real-Time-Überwachung von SSO-Aktionen sind kritische Mitigationen für manufakturelle Betriebskontinuität.

Volltext

Title: vSphere and BRICKSTORM Malware: A Defender's Guide

URL Source: https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide/

Published Time: 2026-04-02

Markdown Content: # vSphere and BRICKSTORM Malware: A Defender's Guide | Google Cloud Blog [Jump to Content](https://cloud.google.com/blog/#content)

[Cloud](https://cloud.google.com/ "Google Cloud")

[Blog](https://cloud.google.com/blog/ "Google Cloud Blog")

[Contact sales](https://cloud.google.com/contact/)[Get started for free](https://console.cloud.google.com/freetrial/)

[Cloud](https://cloud.google.com/ "Google Cloud")

[Blog](https://cloud.google.com/blog/ "Google Cloud Blog")

Solutions & technology

Security

Ecosystem

Industries

* [Solutions & technology](https://cloud.google.com/blog/) * [Ecosystem](https://cloud.google.com/blog/) * [Developers & Practitioners](https://cloud.google.com/blog/topics/developers-practitioners) * [Transform with Google Cloud](https://cloud.google.com/transform)

* [AI & Machine Learning](https://cloud.google.com/blog/products/ai-machine-learning) * [API Management](https://cloud.google.com/blog/products/api-management) * [Application Development](https://cloud.google.com/blog/products/application-development) * [Application Modernization](https://cloud.google.com/blog/products/application-modernization) * [Chrome Enterprise](https://cloud.google.com/blog/products/chrome-enterprise) * [Compute](https://cloud.google.com/blog/products/compute) * [Containers & Kubernetes](https://cloud.google.com/blog/products/containers-kubernetes) * [Data Analytics](https://cloud.google.com/blog/products/data-analytics) * [Databases](https://cloud.google.com/blog/products/databases) * [DevOps & SRE](https://cloud.google.com/blog/products/devops-sre) * [Maps & Geospatial](https://cloud.google.com/blog/topics/maps-geospatial) * [Security](https://cloud.google.com/blog/) * [Infrastructure](https://cloud.google.com/blog/products/infrastructure) * [Infrastructure Modernization](https://cloud.google.com/blog/products/infrastructure-modernization) * [Networking](https://cloud.google.com/blog/products/networking) * [Productivity & Collaboration](https://cloud.google.com/blog/products/productivity-collaboration) * [SAP on Google Cloud](https://cloud.google.com/blog/products/sap-google-cloud) * [Storage & Data Transfer](https://cloud.google.com/blog/products/storage-data-transfer) * [Sustainability](https://cloud.google.com/blog/topics/sustainability)

* [Security & Identity](https://cloud.google.com/blog/products/identity-security) * [Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence)

* [IT Leaders](https://cloud.google.com/transform) * [Industries](https://cloud.google.com/blog/) * [Partners](https://cloud.google.com/blog/topics/partners) * [Startups & SMB](https://cloud.google.com/blog/topics/startups) * [Training & Certifications](https://cloud.google.com/blog/topics/training-certifications) * [Inside Google Cloud](https://cloud.google.com/blog/topics/inside-google-cloud) * [Google Cloud Next & Events](https://cloud.google.com/blog/topics/google-cloud-next) * [Google Cloud Consulting](https://cloud.google.com/blog/topics/consulting) * [Google Maps Platform](https://mapsplatform.google.com/resources/blog/) * [Google Workspace](https://workspace.google.com/blog)

* [Financial Services](https://cloud.google.com/blog/topics/financial-services) * [Healthcare & Life Sciences](https://cloud.google.com/blog/topics/healthcare-life-sciences) * […]

[… 62,061 Zeichen — nächste Zone: keyword-dense paragraphs …]

**STIG ID****Control Title****TTP****Detail** [V-258910](https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter/2025-06-09/finding/V-258910)Require Multi-factor authentication (MFA)Establish Foothold / Privilege Escalation MFA on vCenter web login prevents compromised Active Directory credentials from granting full access. [V-256337](https://www.stigviewer.com/stigs/vmware_vsphere_70_vcenter/2023-12-21/finding/V-256337)Real-time Alert on SSO Account Actions Persistence / Anti-Forensics Creates local accounts, deploys backdoors, and deletes the accounts within minutes. Real-time alerting on PrincipalManagement events is required to catch this activity. [V-258921](https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter/2025-06-09/finding/V-258921)Verify User Roles (Least Privilege)Data Exfiltration Identifies and removes excessive permissions from standard user roles that are aggregated into non-admin roles. [V-258956](https://stigviewer.cyberprotection.com/stigs/vmware_vsphere_8.0_vcenter/2025-06-09/finding/V-258956)Limit membership to "BashShellAdministrators"Escalate Privileges Even if an attacker compromises a vSphere Admin account, they cannot access the Photon OS bash shell unless that account is in this specific single sign-on (SSO) group. It blocks the "VAMI-to-Shell" pivot used to deploy backdoors. [V-258968](https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter/2025-06-09/finding/V-258968)Disable SSH Enablement Initial Access Actors often use the VAMI (Port 5480) to enable SSH before deploying the backdoor. This control ensures that SSH is "Disabled."

* [Solutions & technology](https://cloud.google.com/blog/) * [AI & Machine Learning](https://cloud.google.com/blog/products/ai-machine-learning) * [API Management](https://cloud.google.com/blog/products/api-management) * [Application Development](https://cloud.google.com/blog/products/application-development) * [Application Modernization](https://cloud.google.com/blog/products/application-modernization) * [Chrome Enterprise](https://cloud.google.com/blog/products/chrome-enterprise) * [Compute](https://cloud.google.com/blog/products/compute) * [Containers & Kubernetes](https://cloud.google.com/blog/products/containers-kubernetes) * [Data Analytics](https://cloud.google.com/blog/products/data-analytics) * […]

* **Technical Hardening:**Def […]

[… 61,342 Zeichen — nächste Zone: tail …]

[ Threat Intelligence ### The German Cyber Criminal Überfall: Shifts in Europe's Data Leak Landscape By Google Threat Intelligence Group • 5-minute read](https://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-landscape)

[ Threat Intelligence ### North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack By Google Threat Intelligence Group • 16-minute read](https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package)

### Footer Links

#### Follow us

* * * * *

* [Google Cloud](https://cloud.google.com/) * [Google Cloud Products](https://cloud.google.com/products/) * [Privacy](https://myaccount.google.com/privacypolicy?hl=en-US) * [Terms](https://myaccount.google.com/termsofservice?hl=en-US) * [Cookies management controls](https://cloud.google.com/blog/#)

* [Help](https://support.google.com/)