WARP PANDA Targets U.S. and Asia Pacific Using BRICKSTORM, vCenter, ESXi and Stolen 365 Tokens to Reach Virtual Machines
Published
Key Takeaways
- Virtual Access: WARP PANDA gained covert control of vCenter and ESXi hosts across victim networks.
- VMware Implants: The group deployed custom tools like BRICKSTORM, Junction, and GuestConduit for persistent access.
- Data Exposure: They collected data from virtual machines and accessed cloud files using stolen Microsoft 365 tokens.
Researchers identified cyber espionage by WARP Panda who gained access to virtual systems. They have been targeting U.S. and Asia Pacific entities using VMware environments of several corporate networks.
WARP Panda has targeted technology, manufacturing and legal systems and compromised ESXi hosts. The campaign revolves around VMware vCenter servers, which control virtual machines.Â
WARP Panda Intrusion Technique
The intrusion first exploits internet-facing devices that run vulnerable enterprise software. They enter vCenter using valid accounts and unpatched vCenter vulnerabilities to gain control before deploying other malicious tools.
The group collects sensitive data from thin-provisioned VM snapshots to prepare it for removal. They use cloned domain controller virtual machines to extract identity data to gain access to email accounts tied to engineering and incident response work.
WARP PANDA relies on stealthy OPSEC techniques, including log clearing, timestomping and deploying unregistered virtual machines that are shut down after use.
Method of Compromising Networks by WARP Panda
The group deploys BRICKSTORM backdoor, which hides as normal vCenter processes to avoid detection. And install Junction, an ESXi implant that enables commands and traffic proxying.
BRICKSTORM relies on infrastructure hosted behind Cloudflare and has used Cloudflare Workers and Heroku for C2 communications
GuestConduit is used inside guest VMs to tunnel traffic through virtual machines. JSP web shells are employed for persistent access across VMware layers.
Creating hidden, unregistered virtual machines for illicit activities, they erase logs and change timestamps to hide the intrusion timeline. They move between hosts using SSH and transfer files using SFTP tools.
Cloud Account Intrusions
WARP Panda accessed Azure and Microsoft 365 using stolen login session tokens and tunneled cloud traffic through BRICKSTORM implants.Â
The CrowdStrike blog noted that the group downloaded SharePoint documents and internal cloud files. Attacker-controlled MFA devices were added to maintain long-term cloud access of compromised cloud accounts.
They targeted North America and Asia-Pacific government entities, controlling vCenter and ESXi giving them privileged access.Â
Manipulating vCenter enables control of many virtual machines from one point while ESXi hosts helps reading diskS, running implants, and hiding traffic. This gives attackers long-term, covert control over entire networks.
Investigators assess that WARP PANDA will continue espionage operations and their capabilities reflect deep knowledge of virtualization, and cloud. Their activity also suggests a well-resourced group aligned with strategic intelligence goals.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular