Listen to this Post
Introduction: When the Security Gatekeeper Becomes the Weakest Link
Organizations often rely on firewalls, VPN gateways, NAS devices, and storage appliances as the first line of defense against cyber threats. These systems are expected to block attackers, protect sensitive data, and monitor suspicious activity. But what happens when the very devices designed to defend a network become the attackers’ strongest foothold?
A newly uncovered cyber espionage campaign linked to the notorious threat actor VerdantBamboo reveals a disturbing reality. By compromising a pfSense firewall and deploying a FreeBSD-compatible version of the BRICKSTORM backdoor, the attackers managed to maintain covert access to critical infrastructure for at least 18 months. The operation highlights a growing trend among advanced persistent threat groups: targeting edge devices that often operate outside traditional security monitoring systems.
The investigation, conducted by cybersecurity firm Volexity, exposed a sophisticated attack chain involving firewalls, storage synchronization appliances, Microsoft 365 environments, VPN services, and NAS devices. The findings demonstrate how modern attackers are increasingly bypassing endpoint protection solutions by focusing on overlooked infrastructure components that rarely receive the same level of scrutiny as desktops and servers.
The Discovery: Suspicious Traffic Uncovers a Hidden Threat
The investigation began when security analysts noticed unusual outbound communications originating from a Linux-based Egnyte Storage Sync virtual appliance.
Under normal circumstances, the appliance should have been communicating exclusively with legitimate Egnyte cloud services. Instead, researchers discovered connections to attacker-controlled infrastructure concealed behind Cloudflare IP addresses.
This anomaly triggered a deeper forensic investigation, eventually leading to the discovery of BRICKSTORM, a sophisticated remote access Trojan associated with VerdantBamboo operations.
The malware had quietly established itself within the environment, enabling attackers to maintain persistent access while remaining largely invisible to conventional monitoring tools.
What initially appeared to be a minor network irregularity quickly evolved into evidence of a large-scale, long-running compromise affecting multiple systems across the victim’s infrastructure.
BRICKSTORM: A Powerful Backdoor Designed for Stealth
BRICKSTORM has emerged as one of VerdantBamboo’s preferred cyber weapons.
Written primarily in Golang, with newer variants developed in Rust, the malware offers a broad range of capabilities that make it particularly dangerous in enterprise environments.
Among its most concerning features are:
Remote command execution
SOCKS5 proxy functionality
File system browsing through a web interface
Network pivoting capabilities
Covert traffic tunneling
Cloud service access through trusted devices
These capabilities allow attackers to move laterally through a network while disguising malicious communications as legitimate traffic.
By leveraging trusted infrastructure, BRICKSTORM helps operators avoid detection by security teams and automated monitoring solutions.
Exploiting Legitimate Credentials to Evade Detection
One of the most alarming aspects of the campaign was the attackers’ use of valid credentials.
Rather than relying solely on malware, VerdantBamboo leveraged legitimate user accounts and proxy features embedded within BRICKSTORM to access the victim’s Microsoft 365 environment.
This approach offered several advantages.
First, malicious activity blended naturally into normal user behavior. Second, many security tools interpret valid authentication events as trustworthy. Third, Conditional Access policies often become ineffective when requests originate from trusted internal systems.
The result was an attack chain capable of bypassing multiple layers of enterprise security controls without triggering significant alarms.
VerdantBamboo Returns After Cleanup
Perhaps the most concerning revelation from Volexity’s investigation was the duration of the compromise.
Researchers determined that the attackers had maintained access for at least 18 months.
Even after the victim organization completed remediation efforts, VerdantBamboo successfully returned using previously stolen administrative credentials.
Once back inside the environment, the threat actors enabled web SSL VPN access and used it to reconnect directly into internal systems.
This persistence demonstrates a hallmark characteristic of advanced threat groups: they prepare multiple fallback mechanisms to ensure long-term survival even when primary access methods are removed.
The incident serves as a reminder that malware removal alone does not eliminate a threat if compromised credentials remain active.
pfSense Firewall Becomes the Attackers’ Beachhead
The investigation eventually expanded to include the
There, researchers uncovered evidence that the MSP’s pfSense firewall had also been compromised.
Instead of attacking endpoints, VerdantBamboo targeted a critical network security appliance itself.
The attackers deployed a BSD-compatible BRICKSTORM implant named blocklist within the following directory:
/usr/local/libexec/ipsec/
To ensure the malware would survive reboots and system maintenance, they modified system startup processes by altering:
/etc/rc.d/cron
This change allowed the malicious implant to execute automatically every time the device started.
By compromising the firewall directly, the attackers gained a privileged position from which they could observe, manipulate, and route traffic throughout the network.
Additional Malware Expands the Attack Surface
The campaign was not limited to BRICKSTORM alone.
Researchers identified two additional malware families deployed during the operation.
AGENTPSD: The Backup Access Tool
AGENTPSD is a lightweight Python-based reverse shell designed primarily as a contingency mechanism.
Although relatively simple compared to BRICKSTORM, it provides attackers with a reliable alternative channel should primary implants become unavailable.
This redundancy reflects the operational maturity of VerdantBamboo.
PLENET / GRIMBOLT: Modern Linux Backdoor
Researchers also identified PLENET, known in some security circles as GRIMBOLT.
Unlike traditional .NET malware that depends on Windows environments, this backdoor leverages .NET Native AOT technology, enabling effective deployment on Linux-based systems.
Its presence demonstrates the increasing cross-platform focus of advanced threat actors.
As enterprises expand Linux deployments in cloud and hybrid environments, malware developers are adapting accordingly.
Why Edge Devices Are Becoming Prime Targets
Firewalls, VPN concentrators, NAS appliances, storage synchronization platforms, and similar systems often occupy a dangerous security blind spot.
Many organizations invest heavily in endpoint detection and response solutions for laptops and servers while neglecting infrastructure appliances.
Attackers understand this imbalance.
Edge devices frequently offer:
High privileges
Continuous uptime
Network visibility
Limited logging
Minimal EDR coverage
Rare security audits
For advanced threat actors, these characteristics make such systems exceptionally attractive.
Compromising a firewall can provide more strategic value than compromising dozens of individual endpoints.
Deep Analysis: Technical Indicators and Hunting Commands
Investigating Suspicious Persistence Mechanisms
Security teams should immediately inspect startup scripts and scheduled task configurations.
cat /etc/rc.d/cron
grep -R "blocklist" /usr/local/libexec/
find / -type f -name "blocklist" 2>/dev/null
Reviewing Unauthorized Network Connections
netstat -antp
ss -tulpn
lsof -i
Identifying Suspicious User Activity
lastlog
last
who
Detecting Unknown Executables
find / -perm -111 -type f 2>/dev/null
sha256sum suspicious_file
Examining Scheduled Tasks
crontab -l
ls -la /etc/cron
Monitoring Outbound Communications
tcpdump -i any
iftop
nethogs
Reviewing Authentication Logs
journalctl -xe
grep "Failed password" /var/log/auth.log
grep "Accepted password" /var/log/auth.log
These commands can help identify persistence techniques, unauthorized binaries, suspicious authentication events, and unusual outbound traffic patterns that may indicate compromise.
What Undercode Say:
The VerdantBamboo campaign represents a significant evolution in modern cyber espionage tactics.
Rather than attacking heavily monitored endpoints, the attackers focused on infrastructure devices that many organizations rarely inspect.
This strategy dramatically increases stealth and persistence.
The use of a FreeBSD-compatible BRICKSTORM variant shows deliberate engineering investment.
Threat actors are no longer building malware solely for Windows environments.
Linux, BSD, NAS platforms, and firewall operating systems are now active targets.
The compromise of a pfSense firewall is particularly important.
Firewalls occupy a trusted position inside enterprise networks.
Once compromised, they become ideal surveillance platforms.
The attack also highlights the danger of credential theft.
Many organizations prioritize malware detection while overlooking identity security.
Valid credentials often provide greater access than malware itself.
Another noteworthy element is the use of Cloudflare-obscured infrastructure.
Threat actors increasingly hide command-and-control systems behind reputable cloud providers.
This complicates blocking efforts and creates attribution challenges.
The persistence period of 18 months is equally alarming.
Maintaining access for such a long duration suggests monitoring gaps and insufficient visibility into edge infrastructure.
The deployment of multiple malware families demonstrates layered operational planning.
If one implant fails, another remains available.
This redundancy is common among sophisticated state-aligned actors.
Organizations should reconsider how they classify firewalls and storage appliances.
These devices should no longer be viewed as passive infrastructure.
They should be treated as high-value endpoints.
Routine integrity checks should become standard practice.
Configuration files should be monitored for unauthorized changes.
Administrative access should always require MFA.
VPN configurations should be reviewed regularly.
Outbound traffic from infrastructure devices deserves the same scrutiny as workstation traffic.
Security teams must also implement behavioral monitoring.
Credential abuse often appears legitimate when viewed through traditional logging systems.
Zero-trust principles become increasingly important in this context.
Trust should never be granted solely because activity originates from inside the network.
Infrastructure devices should be included in threat hunting exercises.
Regular firmware validation should be mandatory.
Network segmentation can significantly reduce attacker mobility.
Cloud service access should be continuously evaluated.
The VerdantBamboo operation demonstrates that
The next major breach may not begin with a laptop or server.
It may begin with a firewall quietly performing its daily tasks while secretly serving an attacker.
✅ Volexity identified BRICKSTORM activity associated with VerdantBamboo.
The investigation directly linked the malware deployment to a broader espionage campaign targeting edge infrastructure devices.
✅ The attackers compromised a pfSense firewall and deployed a BSD-compatible BRICKSTORM implant.
Evidence showed the malware was installed on the firewall and configured for persistence through startup modifications.
✅ Edge devices are increasingly attractive targets because they often lack comprehensive monitoring.
Firewalls, VPN gateways, NAS devices, and storage appliances commonly receive less security visibility than traditional endpoints, making them valuable targets for advanced threat actors.
Prediction
(+1) Security Monitoring of Infrastructure Devices Will Expand 📈
Organizations are likely to begin extending EDR-like visibility and behavioral analytics to firewalls, VPN appliances, and NAS platforms. This shift could significantly reduce attacker dwell time in future campaigns.
(+1) Identity-Centric Security Controls Will Strengthen 🔐
More enterprises will adopt phishing-resistant MFA, privileged access management, and continuous authentication validation to combat attacks that rely on stolen credentials.
(-1) Attackers Will Continue Targeting Network Appliances ⚠️
As endpoint security improves, advanced threat groups will increasingly focus on firewalls, storage systems, routers, and virtualization appliances where monitoring remains weaker.
(-1) Multi-Platform Malware Development Will Accelerate 🦠
Future malware families will continue expanding beyond Windows into Linux, FreeBSD, cloud workloads, and embedded infrastructure, creating new challenges for defenders across hybrid environments.
▶️ Related Video (74% Match):
https://www.youtube.com/watch?v=2uxeGB47hjo
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
