Beyond Endpoints: How BRICKSTORM Exposed Security Blind Spots by Lucie Cardiet

UNC5221’s BRICKSTORM is a highly sophisticated espionage campaign that implants custom backdoors on edge appliances (VPN gateways, firewalls, VMware vCenter) to remain undetected for ~400 days, pivot to identity systems (cloning domain controllers, siphoning vCenter admin credentials, registering rogue M365 apps), and expand impact via compromised service providers; the report urges a shift from IOC/signature detection to behavior-based, cross-domain monitoring to close these visibility gaps.