Securing vSphere Against BRICKSTORM: A Comprehensive Hardening Guide

Overview

Recent research from Google Threat Intelligence Group (GTIG) on the BRICKSTORM activity cluster has highlighted a significant shift in adversary focus: targeting the virtualization layer directly. Unlike traditional attacks that compromise guest operating systems, BRICKSTORM operations aim to establish persistence within the VMware vSphere ecosystem—specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. By operating below the guest OS, attackers bypass standard endpoint detection and response (EDR) solutions, exploiting a critical visibility gap.

This guide provides a structured, infrastructure-centric defense approach. It does not assume a software vulnerability; instead, it addresses the root causes: weak identity and access management, misconfigured defaults, and insufficient monitoring at the control plane. By following these steps, organizations can transform the vSphere environment into a hardened, observable fortress against threats like BRICKSTORM. Additional automation is available via the Mandiant vCenter Hardening Script, which enforces these configurations at the Photon Linux layer.

Prerequisites

Before implementing the hardening measures, ensure the following are in place:

• Administrative access to vCenter Server Appliance (VCSA) and ESXi hosts.
• SSH access to the VCSA (temporarily enabled during configuration).
• Backup of the VCSA configuration and all virtual machines.
• Understanding of your current identity provider (Active Directory, LDAP, or local accounts).
• Network segmentation plan for management and workload traffic.
• Logging infrastructure (e.g., SIEM) ready to receive forwarded logs.

Step-by-Step Hardening Instructions

1. Strengthen Identity and Access Management

Attackers often exploit weak authentication and excessive privileges. Begin by auditing all accounts with administrative access to vCenter and ESXi.

1. Remove or rename default accounts such as administrator@vsphere.local and root. Create new, dedicated service accounts with minimal necessary rights.
2. Enforce multi-factor authentication (MFA) for all administrative access. vCenter supports integration with ADFS, Okta, or Smart Card authentication.
3. Enable Active Directory (AD) integration and delegate admin roles via AD groups rather than local accounts. Use the principle of least privilege: e.g., assign the ‘ReadOnly’ role to monitoring accounts.
4. Audit and revoke unused permissions regularly. Use the vSphere Permissions report or PowerCLI scripts to identify stale accounts.

Example PowerCLI snippet to list permissions:

Get-VIPermission | Select-Object Entity, Principal, Role

2. Harden Network Segmentation and Access

The management network (VCSA and ESXi) must be isolated from production workloads and user access.

1. Place VCSA on a dedicated management VLAN with strict firewall rules allowing only necessary IPs (e.g., jump hosts) to connect via ports 443, 22 (if needed), 903, 5480.
2. Disable SSH on ESXi hosts when not actively configuring them. Use the DCUI (Direct Console User Interface) for local console access only.
3. Restrict vCenter’s web interface to internal management stations. Consider a reverse proxy if remote access is required.
4. Use AppDefense or NSX micro-segmentation to isolate virtual machines from each other, reducing lateral movement.

3. Harden the Photon OS Layer

The VCSA runs on Photon Linux, which often comes with insecure defaults. Mandiant’s script automates many steps, but manual verification is important.

1. Update the system regularly via tdnf update or configure automatic updates for critical patches.
2. Remove unnecessary packages and services. For example, disable the vmware-syslog service if you forward logs elsewhere.
3. Configure the host firewall (iptables) to only allow necessary inbound traffic. Example: allow only HTTPS and SSH from specific source IPs.
4. Enforce strong password policies for local accounts through /etc/security/pwquality.conf.
5. Enable audit logging (auditd) to track system calls and modifications. Forward logs to a central SIEM.

Manual check for open ports:

netstat -tulpn | grep LISTEN

4. Implement Comprehensive Logging and Monitoring

Visibility into the control plane is critical. BRICKSTORM operators rely on the gap where EDR agents do not run.

1. Enable vCenter and ESXi audit logs: In vCenter, go to Administration > Server Configuration > vCenter Server Settings > Logging. Set to “Info” or “Verbose”.
2. Forward logs to a SIEM: Configure vCenter to send Syslog messages to your SIEM. Use the vSphere Web Client: vCenter > Configure > General > Syslog.
3. Monitor for specific IOCs: Track unusual root logins, changes to ESXi host settings, or modifications to VM configuration files (e.g., .vmx files).
4. Set up alerts for suspicious activities: creation of new VMs by unauthorized users, deletion of snapshots, or disabling of logging.

Example syslog forwarder config in VCSA via SSH:

echo "*.* @your-siem-server:514" >> /etc/rsyslog.conf
systemctl restart rsyslog

5. Utilize the Mandiant vCenter Hardening Script

To expedite the hardening process, Mandiant provides a community script that applies many of the above configurations automatically. Download it from the Mandiant GitHub repository (search “vCenter Hardening Script”).

1. Review the script before executing—check for environment-specific adjustments.
2. Run the script with elevated privileges on the VCSA.
3. Verify changes after execution: check audit log settings, firewall rules, and password policies.
4. Test critical operations (e.g., VM migrations, vMotion) to ensure business continuity.

Common Mistakes

• Leaving default accounts enabled: Even if renamed, default accounts may still have backdoor access.
• Inconsistent logging across all hosts: Ensure every ESXi host in the cluster sends logs to the same SIEM.
• Neglecting regular audits: Permissions and configurations drift over time; schedule quarterly reviews.
• Overlooking the management network: If the VCSA is reachable from the internet, attackers can brute-force credentials.
• Using shared service accounts: Always assign unique accounts per admin to maintain accountability.

Summary

Defending against BRICKSTORM requires shifting from a guest OS-centric security model to one that hardens the entire virtualization control plane. By implementing strong identity controls, network segmentation, OS-level hardening, and comprehensive logging, organizations can close the visibility gap that attackers exploit. The Mandiant vCenter Hardening Script offers a fast path to enforcement, but continuous verification and improvement are essential. Remember, the goal is not just to prevent compromise but to detect and respond to threats at the layer where traditional defenses are blind.