📢 BRICKSTORM : une backdoor attribuée à UNC5221 cible des organisations américaines via appliances réseau et zero-days
📝 Selon PolySwarm (rapport Threats and Vulne...
📖 cyberveille : https://cyberveille.ch/posts/2025-10-05-brickstorm-une-backdoor-attribuee-a-unc5221-cible-des-organisations-americaines-via-appliances-reseau-et-zero-days/
🌐 source : https://blog.polyswarm.io/brickstorm-targets-u.s.-tech-and-legal-sectors-with-stealthy-espionage
#BRICKSTORM #UNC5221 #Cyberveille
#UNC5221
Google China-linked hackers (#UNC5221) are targeting US SaaS and tech firms using the new BRICKSTORM malware, exploiting zero-day flaws, Mandiant has found.
Read: https://hackread.com/china-hackers-hit-us-tech-firms-brickstorm-malware/
#Google warns #China-linked spies lurking in 'numerous' #enterprises
Since March, Google's #Mandiant #incidentresponse team have responded to these #UNC5221-related break-ins across legal, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and technology companies. They were fount to deploy #backdoors, providing access for their long-term IP and other sensitive data stealing missions, all the while remaining undetected on average for 393 days!
https://www.theregister.com/2025/09/24/google_china_spy_report/
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
#BRICKSTORM #UNC5221
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
#China-linked #APT #UNC5221 started exploiting #Ivanti #EPMM flaws shortly after their disclosure
https://securityaffairs.com/178285/apt/china-linked-apt-unc5221-started-exploiting-ivanti-epmm-flaws-shortly-after-their-disclosure.html
#securityaffairs #hacking #malware
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
#CVE_2025_31324 #UNC5221 #UNC5174 #CL_STA_0048 #SNOWLIGHT
https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
"Infrastructure risks have also been prominent, w/vulnerabilities in ASUS routers & critical ICS devices from Schneider Electric & Yokogawa exposing sectors like #energy & manufacturing to..." digitalfrontierpartners.com.au/news/latest-... RU #APT29 Android #NFC China #UNC5221 #SNOWLIGHT #TONESHELL
Latest Sophisticated Attacks a...
[10:59] Chinese Brickstorm spionagemalware ontdekt op Windows-systemen
Cybersecurityspecialist Nviso heeft een nieuwe variant van de Brickstorm-malware ontdekt. De schadelijke software is gelinkt aan de Chinese spionagegroep UNC5221...
https://www.computable.nl/2025/04/15/chinese-brickstorm-spionagemalware-ontdekt-op-windows-systemen/
#CybersecurityspecialistNvisoheefteennieuwe #vandeBrickstorm_malware #aande #UNC5221
👀 Freshly published analysis of BRICKSTORM backdoor samples, now on Windows, identified in a multi-year espionage campaign attributed to the PRC: https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor
UNC5221 just turned a hidden flaw in Ivanti Connect Secure into a cyber heist—using zero-day exploits and stealth malware to breach critical systems. Could your network be the next target?
#China-linked group #UNC5221 exploited #Ivanti Connect Secure zero-day since mid-March
https://securityaffairs.com/176162/apt/china-linked-group-unc5221-exploited-ivanti-connect-secure-zero-day-since-mid-march.html
#securityaffairs #hacking
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)
#CVE_2025_22457 #UNC5221 #TRAILBLAZE #BRUSHFIRE #SPAWNSNARE #SPAWNWAVE
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
#CVE_2025_0282 #CVE_2025_0283 #UNC5337 #UNC5221 #PHASEJAM #SPAWNMOLE
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/
I buried the lede in not mentioning that UNC5291 is assessed with medium confidence to be associated with Volt Typhoon, a Chinese state-sponsored Advanced Persistent Threat (APT). See related The Record reporting: Volt Typhoon and 4 other groups targeting US energy and defense sectors through Ivanti bugs
#Ivanti #ConnectSecure #vulnerability #cyberespionage #China #activeexploitation #eitw #zeroday #KEV #CISA #CVE_2023_46805 #CVE_2024_21887 #CVE_2024_21893 #UNC5221 #UNC5266 #UNC5330 #UNC5337 #UNC5291
Mandiant releases part 4 of the Ivanti Connect Secure incident response investigation. They detail different types of post-exploitation activity across their IR engagements. Chinese threat actors have a growing knowledge of Ivanti Connect Secure in abusing appliance-specific functionality to perform actions on objective. They highlight FIVE Chinese threat actors: UNC5221, UNC5266, UNC5330, UNC5337, and UNC5291 abusing a mix of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. New TTPs, new malware families and new IOC: 🔗 https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement
EDIT: For your situational awareness, it's my understanding that future Mandiant articles will be located at https://cloud.google.com/blog/topics/threat-intelligence/
#Ivanti #ConnectSecure #vulnerability #cyberespionage #China #activeexploitation #eitw #zeroday #KEV #CISA #CVE_2023_46805 #CVE_2024_21887 #CVE_2024_21893 #UNC5221 #UNC5266 #UNC5330 #UNC5337 #UNC5291
"🚨 Ivanti VPN Zero-Day Exploits Unleash Global Cyber Onslaught 🚨"
🔒 Two zero-day vulnerabilities in Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) appliances are facing mass exploitation. Discovered by Volexity, the CVE-2023-46805 and CVE-2024-21887 vulnerabilities enable widespread attacks, impacting businesses of all sizes worldwide, including Fortune 500 companies. The GIFTEDVISITOR webshell variant is used to backdoor systems, indicating a serious threat level.
Ivanti hasn't released patches yet. Administrators are advised to apply vendor-provided mitigation measures and use Ivanti's Integrity Checker Tool. All data on compromised ICS VPN appliances should be considered at risk. Amid these attacks, suspected Chinese state-backed actors (UTA0178 or UNC5221) are notably active, with Mandiant identifying five custom malware strains targeting breached systems.
These include Zipline Passive Backdoor, Thinspool Dropper, Wirefire and Lightwire web shells, Warpwire harvester, PySoxy tunneler, BusyBox, and Thinspool utility. Particularly alarming is Zipline, which intercepts network traffic and supports various malicious activities.
Stay vigilant and prioritize immediate protective actions!
🔗 Source: BleepingComputer - Sergiu Gatlan
Tags: #CyberSecurity #ZeroDay #IvantiVPN #CVE202346805 #CVE202421887 #APT #UTA0178 #UNC5221 #Malware #Webshell #Volexity #Mandiant #NetworkSecurity #InfoSec🛡️🌍👾
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst