CISA and NSA Warn of China-Backed BRICKSTORM Malware Campaign
This joint advisory from CISA, NSA, and Canadian officials highlights a sophisticated malware operation attributed to Chinese state-sponsored actors, targeting VMware vSphere and Windows environments in government and IT sectors since at least April 2024.
Technical Breakdown of BRICKSTORM
BRICKSTORM operates as an advanced backdoor with capabilities for credential theft through virtual machine snapshots and the creation of rogue virtual machines. It employs multiple layers of encryption to obfuscate payloads and leverages DNS-over-HTTPS for command-and-control communications, evading traditional network monitoring tools. The malware maintains persistence by injecting into legitimate VMware processes, allowing long-term access as observed in intrusions lasting over a year.
Attack Vector and Exploitation
Actors gain initial access via unpatched vulnerabilities or phishing, then deploy BRICKSTORM to enumerate credentials from VM snapshots. It exploits VMware’s snapshot feature to extract sensitive data without triggering host alerts. Rogue VMs are spun up in isolated segments, providing a stealthy foothold for lateral movement. Network segmentation failures in DMZ zones have enabled escalation to critical systems.
Detection and Mitigation Strategies
CISA recommends YARA rules for signature-based detection, focusing on encrypted DNS traffic anomalies and unauthorized VM creation events. Organizations should enforce DNS-over-HTTPS blocking, implement strict VM snapshot auditing, and apply least-privilege segmentation. Behavioral analytics can flag anomalous VMware API calls, while endpoint detection tools monitor for process injection into vSphere services.
Critical React Server Components Vulnerability React2Shell Actively Exploited
Disclosed on December 3, 2025, the React2Shell vulnerability in React Server Components enables remote code execution, source code exposure, and denial-of-service attacks, with over 165,000 IPs and 644,000 domains remaining vulnerable as of December 10.
Vulnerability Mechanics
React2Shell stems from improper deserialization in server-side rendering paths, allowing attackers to inject malicious payloads during component hydration. This leads to arbitrary code execution on the server, bypassing client-side protections. Exploitation involves crafting inputs that trigger out-of-bounds memory access or prototype pollution, compromising the Node.js runtime hosting React servers.
Widespread Exploitation Patterns
Attackers chain React2Shell with malicious QR codes for device linking or no-click scams, automating propagation across web applications. Observed exploits include cryptomining payloads and backdoor implants, targeting e-commerce and SaaS platforms. Scanner bots probe exposed endpoints, confirming vulnerability via error responses before full exploitation.
Remediation and Hardening Measures
Patch immediately by updating to React 19.x with deserialization safeguards. Implement content security policies to restrict script execution, and use sandboxed rendering environments. Runtime protections like object input validation and taint tracking prevent deserialization exploits. Network-level WAF rules can block anomalous request patterns associated with scans.
Cisco Warns of Actively Exploited Zero-Day in AsyncOS
Cisco has confirmed active exploitation of CVE-2025-20393, a CVSS 10.0 zero-day in AsyncOS software for email security appliances, granting root access; CISA added it to the KEV catalog with a December 24 mitigation deadline for federal agencies.
Exploit Details and Impact
The flaw resides in a buffer overflow within AsyncOS’s parsing engine, triggered by malformed email headers. Attackers send specially crafted MIME attachments exploiting heap overflows for code injection, achieving root privileges without authentication. This compromises email gateways, enabling traffic interception, malware injection, and pivot to internal networks.
Observed Attack Campaigns
Over 10,000 IPs launched automated brute-force attempts on Cisco SSL VPNs on December 12, originating from 1,273 sources targeting U.S., Pakistan, and Mexico portals. Opportunistic scans use common credentials, chaining with AsyncOS exploits for full compromise. Surge aligns with credential-stuffing trends hitting Palo Alto Networks firewalls.
Immediate Defensive Actions
Apply Cisco’s interim patches disabling vulnerable parsers, restrict email ingress to trusted sources, and enable logging for header anomalies. Use EDR on appliances to detect privilege escalations. Multi-factor authentication and IP allowlisting on VPN endpoints mitigate brute-force risks.
700Credit API Breach Exposes 5.6 Million Records
A flawed API integration at 700Credit led to unauthorized access to client data from May to October 2025, prompting exploitation by China-linked and North Korean actors; CISA cataloged the vulnerability on December 5.
Breach Timeline and Access Method
Threat actors exploited an insecure API endpoint in a partner’s software, bypassing authentication to query 700Credit’s database. Exposed data included PII for 5.6 million individuals across 18,000 auto dealerships. Post-breach, attackers deployed miners, backdoors, and credential harvesters targeting cloud metadata.
Secondary Exploitation Waves
Groups like Earth Lamia and Jackpot Panda initiated attacks hours after disclosure, scanning for vulnerable cloud instances—39% reportedly affected. North Korean actors weaponized the flaw for espionage, extracting environment variables for further pivots.
API Security Best Practices
Enforce OAuth 2.0 with scoped tokens, rate limiting, and input validation on APIs. Segment partner integrations via zero-trust gateways. Cloud configs should scrub metadata endpoints, with anomaly detection on API logs flagging unusual query volumes.
Microsoft Patch Tuesday Addresses Multiple Zero-Days
Microsoft’s December 2025 Patch Tuesday resolved 56 vulnerabilities, including three zero-days: command-injection RCEs in PowerShell and GitHub Copilot, plus an exploited Windows Cloud Files elevation-of-privilege flaw.
Zero-Day Technical Analysis
CVE details reveal PowerShell’s pipeline parsing vulnerable to injected commands via malformed arguments, enabling RCE on domain controllers. GitHub Copilot’s JetBrains plugin suffers similar injection, exposing IDE sessions. The Cloud Files Mini Filter Driver EoP exploits race conditions for kernel ring-0 access.
Patching Priorities
Prioritize internet-facing Exchange and Azure components with 19 RCEs. Deploy WSUS for automated rollout, verify via MBSA scans. Holiday-period monitoring focuses on PowerShell logging for anomalous executions.