A Chinese state-affiliated hacking group, identified as VerdantBamboo, has been covertly infiltrating corporate networks for over a year. Utilizing a unique malware kit, they have managed to compromise firewalls, storage systems, and network appliances without setting off any alarms.
Uncovering VerdantBamboo’s Infiltration
VerdantBamboo, noted for its patience and technical precision, was brought to light when unusual network activity was detected on a Linux-based virtual machine within a client’s network. The device, an Egnyte Storage Sync appliance, was supposed to connect to Egnyte’s infrastructure but was instead communicating with a domain owned by the attackers, camouflaged behind Cloudflare IPs and utilizing Google’s public DNS server for encrypted query resolution.
Volexity, a threat intelligence and incident response company, identified the malware behind these activities as BRICKSTORM, a remote access trojan under continuous development. According to Volexity, VerdantBamboo, also known as WARP PANDA and UNC5221, had maintained access to the compromised network for at least 18 months before discovery.
Advanced Intrusion Techniques
The attack was more intricate than initially perceived. VerdantBamboo not only breached the victim’s systems but also infiltrated their Managed Services Provider (MSP). This gave the group access to sensitive credentials and internal infrastructure data, enabling them to bypass standard security controls and establish a foothold within the victim’s environment.
Even after being expelled, VerdantBamboo demonstrated resilience by re-entering the network. They used stolen administrative credentials to access the victim’s exposed firewall, established a VPN tunnel, and implanted a new backdoor on a Synology NAS device. This adaptability complicated recovery efforts significantly.
BRICKSTORM and Additional Threats
BRICKSTORM, VerdantBamboo’s primary malware, is designed to operate undetected in environments that lack traditional security monitoring. Built in Golang, its modular architecture allows for customization per target device. On Egnyte appliances, BRICKSTORM was manually executed, exploiting a misconfigured sudo rule to gain elevated privileges.
Volexity also discovered two previously undocumented malware families: PLENET, a cross-platform backdoor, and AGENTPSD, a lightweight Python reverse shell. These were likely deployed as fallback options in case BRICKSTORM’s operation was disrupted.
Preventive Measures and Future Outlook
Volexity tracked VerdantBamboo’s command-and-control servers using a Censys platform query, which led to the identification of servers with minimal services on port 443. Once the fingerprint was developed, all matching servers went offline, suggesting the hackers were alerted to the investigation.
To mitigate such threats, organizations must ensure edge appliances are not directly internet-accessible without MFA. Privileged accounts should be audited, and systems unable to run EDR agents should have compensating controls like network traffic monitoring and strict access policies to detect persistent compromises.
As the cyber landscape evolves, staying vigilant against advanced persistent threats like VerdantBamboo remains crucial. Continuous monitoring, proactive security measures, and incident response readiness are essential to safeguarding network integrity.
