How to Harden Your vSphere Environment Against BRICKSTORM Malware: A Step-by-Step Guide

Introduction

Recent research from Google Threat Intelligence Group (GTIG) highlights the BRICKSTORM malware, which specifically targets VMware vSphere environments, particularly the vCenter Server Appliance (VCSA) and ESXi hypervisors. Attackers establish persistence at the virtualization layer, operating beneath guest operating systems where traditional endpoint detection and response (EDR) tools are ineffective. This guide provides a structured approach to harden your vSphere infrastructure against such threats. By following these steps, you'll close visibility gaps, enforce configuration controls, and transform your virtualization layer into a fortified defensive barrier.

What You Need

• Administrative access to vCenter Server Appliance (VCSA) and ESXi hosts
• Mandiant's vCenter Hardening Script (available from Mandiant GitHub or support)
• Basic understanding of vSphere architecture and Photon Linux OS
• Access to a privileged access management (PAM) solution for identity controls
• Network monitoring tools capable of inspecting vSphere traffic (e.g., vRNI or third-party solutions)
• Change management process to document and test hardening configurations

Step-by-Step Hardening Guide

1. Assess Your vCenter Server Appliance Risk Profile

   Start by evaluating the VCSA's position in your infrastructure. Since VCSA manages all ESXi hosts and virtual machines, any compromise grants attackers administrative control over your entire Tier-0 workloads (e.g., domain controllers, PAM tools). Document all services running on the VCSA, identify default credentials still in use, and review current firewall rules. This baseline assessment helps prioritize which hardening areas need immediate attention.

2. Harden Photon Linux OS Layer

   VCSA runs on Photon Linux, a purpose-built OS that often lacks out-of-the-box security configurations. Apply the following: disable unnecessary services (e.g., SSH unless strictly needed), enforce strong password policies, enable auditd logging, and configure time sync with secure NTP. Use Mandiant's vCenter Hardening Script to automate these configurations—it directly modifies the Photon layer to meet Tier-0 security standards.

3. Strengthen Identity and Access Management

   Attackers exploit weak identity design. Implement multi-factor authentication (MFA) for all vSphere administrators. Use role-based access control (RBAC) with the principle of least privilege—assign only necessary permissions per user. Integrate with a PAM solution to manage privileged sessions and rotate credentials. Disable the default 'administrator@vsphere.local' account or restrict its usage.

4. Configure vCenter and ESXi Hardening

   Within vCenter settings, enable TLS 1.2 or higher, disable weak ciphers, and restrict API access to trusted networks. For ESXi hosts, configure the host firewall to block unnecessary ports, enable lockdown mode to prevent direct root login, and enforce certificate validation. Apply host profiles to ensure consistent hardening across all ESXi servers. Verify that all configuration changes are logged and monitored.

   

5. Enable Comprehensive Monitoring and Auditing

   BRICKSTORM operates in visibility gaps. Deploy vCenter logging to a central SIEM or log management system. Enable syslog forwarding from ESXi hosts. Monitor for unusual vSphere API calls, account creation, or unauthorized power-on of VMs. Use network traffic analysis to detect lateral movement at the virtualization layer. Set up alerts for changes to VCSA's OS-level configuration.

6. Automate Hardening with Mandiant's Script

   As mentioned in Step 2, Mandiant released a dedicated vCenter Hardening Script. Run it in a test environment first, then production after validation. The script enforces security configurations at the Photon Linux layer, such as kernel hardening and file integrity monitoring. Document the script's output and incorporate it into your continuous deployment pipeline for recurring compliance checks.

7. Conduct Regular Security Reviews and Penetration Testing

   Hardening is not a one-time activity. Schedule quarterly reviews of your vSphere configurations against benchmarks like CIS VMware benchmarks. Perform penetration tests targeting the virtualization layer to identify new attack vectors. Update your incident response plan to include scenarios where the control plane is compromised—this ensures your team can respond effectively to threats like BRICKSTORM.

Tips for Long-Term Success

• Maintain isolation: Keep vSphere management networks separate from production and guest VM traffic using VLANs or dedicated physical switches.
• Stay updated: Follow GTIG and Mandiant advisories for new findings—BRICKSTORM techniques evolve quickly.
• Backup configurations: Before applying any hardening, backup vCenter and ESXi settings. A misconfiguration can disrupt operations.
• Educate administrators: Train your team on the importance of virtualization-layer security and the risks of shared credentials.
• Leverage automation: Use infrastructure-as-code tools (e.g., Ansible, Terraform) to enforce and audit hardening policies across all vSphere components.