Cybersecurity Snapshot: Fending Off BRICKSTORM Malware Data-Theft Attacks and Integrating AI into OT Securely

CISA has identified a China-backed BRICKSTORM malware campaign targeting the IT and government sectors. Meanwhile, global agencies released a guide for adding AI safely to OT. Plus, proving your online content is legit; fighting cyber fraud; and preventing bank account takeover scams.

Here are five things you need to know for the week ending December 5.

1 - Nation-state actors deploy BRICKSTORM to steal info from IT, government orgs

IT organizations and government services outfits, listen up: Attackers acting on behalf of China’s government are targeting your sectors by leveraging the BRICKSTORM malware to infiltrate networks, linger stealthily, harvest data, and possibly inflict further damage.

“BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command and control,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned this week.

BRICKSTORM functions as a highly advanced backdoor designed for both VMware vSphere and Windows environments. Its primary purpose is to maintain stealthy access while facilitating command and control (C2) operations. 

“These state-sponsored actors are not just infiltrating networks – they are embedding themselves to enable long-term access, disruption, and potential sabotage,” CISA Acting Director Madhu Gottumukkala said in a statement.
 

The malware employs complex evasion techniques, including multiple layers of encryption and DNS-over-HTTPS (DoH) to conceal its communications. Additionally, it features a SOCKS proxy to aid in lateral movement and tunneling, as well as self-monitoring capabilities that automatically reinstall or restart the malware if it is disrupted.

In observed compromises, initial access vectors vary. In one instance, actors compromised a web server within a demilitarized zone (DMZ), moved laterally to an internal VMware vCenter server, and subsequently deployed BRICKSTORM. 

Once established, the attackers leverage this access to harvest legitimate credentials, often by performing system backups or targeting Active Directory databases. They also target VMware platforms to steal virtual machine snapshots for further credential extraction or to create hidden "rogue" VMs to evade detection.

To mitigate this threat, CISA recommends that network defenders:

• Actively hunt for signs of intrusion using specific YARA and Sigma rules detailed in the associated BRICKSTORM Malware Analysis Report
• Block unauthorized DoH traffic
• Maintain a strict inventory of network edge devices
• Enforce robust network segmentation to restrict traffic between the DMZ and internal networks

For more information about BRICKSTORM:

• “Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors” (Google)
• “Brickstorm malware powering ‘next-level’ Chinese cyberespionage campaign” (CyberScoop)
• “F5 breach exposes powerful backdoor exploited by China-linked hackers” (Cybernews)

2 - Adding AI to OT environments securely

Here’s one for critical infrastructure organizations looking to use artificial intelligence (AI) technology safely to improve their operations.

Cyber agencies from multiple countries this week published a guide for securely integrating AI into operational technology (OT) environments.

“Despite the many benefits, integrating AI into operational technology (OT) environments that manage essential public services also introduces significant risks,” reads the 25-page document.
 

The playbook, titled “Principles for the Secure Integration of Artificial Intelligence in Operational Technology” focuses on four key principles:

• Educate the workforce: Train all personnel – from OT engineers to senior leadership – on AI functionality, unique security risks, and secure development standards.
• Assess the need: Conduct rigorous risk-benefit analyses, integrating AI only when the operational value clearly outweighs data security and integration risks.
• Adopt governance: Implement frameworks for continuous assurance and regulatory compliance, including ongoing testing to detect model drift or data poisoning.
• Embed safety by design: Build oversight into the system architecture, ensuring fail-safe mechanisms exist to revert to a safe state if the AI is compromised.

“By adhering to these principles and continuously monitoring, validating, and refining AI models, critical infrastructure owners and operators can achieve a balanced integration of AI into the OT environments that control vital public services,” reads the guide, co-authored by cyber agencies from Australia, Canada, Germany, the Netherlands, New Zealand, the U.S. and the U.K.

For more information about AI and OT:

• “ICS/OT Cybersecurity & AI: Considerations for Now and the Future (Part I)” (SANS Institute)
• “Cybersecurity in industry: How AI helps protect operational technology systems” (KPMG)
• “Navigating the Intersection of AI, Cybersecurity, and Operational Technology” (IIoT World)

3 - How orgs can prove the integrity of their public online info 

As AI tools make it easier for fraudsters to fabricate and spread misinformation, organizations face intensifying pressure to demonstrate to the public that their digital content is accurate and trustworthy. But how?

That’s the issue the Canadian and U.K. cyber agencies tackled this week with their jointly-authored guidance “Public content provenance for organisations: Explaining why content provenance matters and how organisations can use it to verify and protect their online information.”

The document, from the U.K. National Cyber Security Centre (NCSC) and the Canadian Centre for Cyber Security (CCCS), outlines how organizations can establish a verifiable history – or provenance – for their online content, proving its authenticity and integrity.
 

Public content provenance provides a factual, tamper-evident record of a digital artifact's origin and history. The guide uses the analogy of a "digital notary" to explain this concept: just as a notary witnesses a signature to validate a legal document, digital provenance services attest to the details of content creation and modification using cryptographic methods.

The document highlights several technologies that underpin these systems:

• Cryptographic technologies: Trusted timestamps and public key infrastructure (PKI) bind identities to content, ensuring records cannot be altered retroactively.
• Digital ledgers: Technologies like blockchain provide decentralized, tamper-proof records of transactions.
• Emerging standards: The Coalition for Content Provenance and Authenticity (C2PA) is highlighted as a major industry standard developing open specifications for certifying media source and history.
• Web archiving and watermarking: These are presented as complementary tools for preserving context and detecting alterations.

The cyber agencies warn that implementing provenance is not a one-size-fits-all solution. Organizations must weigh factors such as cost, the required duration of the record (e.g., short-term election data vs. long-term historical records), and privacy concerns. 

Moreover, that NCSC and CCCS stress that while these technologies are promising, they are currently immature and evolving so they advise organizations to begin assessing their content lifecycles and identifying trust gaps now to prepare for future implementation.

For more information about digital content provenance:

• “C2PA Content Credentials Explained: Addressing Common Questions and Updates” (C2PA)
• “How Digital Provenance Preserves Image Integrity and Security” (SecureWorld)
• “How C2PA can safeguard the truth from digital manipulation” (SW World)

4 - WEF: Cross-sector collab, policy reforms needed to combat cyber fraud

As cyber fraud spirals out of control, too much of the onus for preventing and mitigating it has been placed on users. 

This is the view from the World Economic Forum (WEF), which is calling on governments, industry leaders, and civil society to band together and play a bigger role.

What’s needed is to move beyond fragmented responses and build a secure-by-design digital ecosystem on resilient internet infrastructure, WEF argues in its new "Fighting Cyber-Enabled Fraud: A Systemic Defence Approach" report.

Published this week in collaboration with the Institute for Security and Technology, the report addresses the escalating global threat of phishing and cyber fraud, saying that the current approach – relying heavily on user awareness and reactive law enforcement – is insufficient given the scale and complexity of today’s digital threats. 
 

“Now is the time to join forces across sectors and borders to build a digital ecosystem that is secure by design and resilient by default,” the report reads.

WEF calls for a "systemic approach" to defense which would shift the burden of security upstream, moving away from end-users and towards the infrastructure providers and large-scale operators best positioned to implement widespread safeguards.

The proposed framework is built upon three complementary pillars:

1. Prevention: This involves structurally reducing the ability of malicious actors to acquire and operate digital infrastructure. Key measures include strengthening risk-based due diligence in domain registration and web hosting to detect and block abuse before it can be deployed.
2. Protection: The goal here is to embed safety by default into consumer-facing services. The report calls for proactive, scalable solutions within critical tools like emails, browsers, and messaging platforms to automatically shield users from fraud. Governments are encouraged to support this through national coordination hubs and targeted regulations.
3. Mitigation: Recognizing that some attacks will succeed, this pillar focuses on rapid, collective response. It emphasizes ecosystem-wide signal sharing—exchanging verified threat data while preserving privacy—and utilizing AI-assisted detection to respond to threats at the necessary speed and scale.

“The path forward is clear and within reach: shift the burden of security upstream to those best positioned to act, embed protection as the default rather than the exception and connect the fragmented efforts already under way into a coordinated global response,” the report reads.

5 - FBI: Fraudsters impersonate banks to hijack accounts

Businesses and individuals should protect themselves against financial account-takeover (ATO) fraud, which has cost victims $262 million so far this year.

That’s the warning the U.S. Federal Bureau of Investigation (FBI) made in a public service announcement, saying its Internet Crime Complaint Center (IC3) has received over 5,100 complaints about this scheme in 2025.

“In ATO fraud, cyber criminals gain unauthorized access to the targeted online financial institution, payroll, or health savings account, with the goal of stealing money or information for personal gain,” the alert reads.
 

Here’s how it works: Cybercriminals mimic bank staff or websites to steal login credentials and funds. Attackers often utilize social engineering, contacting victims through texts, calls, or emails while posing as support personnel. They manipulate account holders into providing usernames, passwords, and multi-factor authentication (MFA) codes. Criminals may even transfer victims to accomplices impersonating law enforcement to legitimize the request.

Attackers may also purchase ads to make phishing websites appear as top results on search engines, and that way trick a bank’s customers into entering their login credentials on fraudulent websites. Once access is gained, fraudsters typically wire funds to cryptocurrency wallets for quick, untraceable dispersal and lock the victim out of the account.

To mitigate these risks, the IC3 advises the public to:

• Avoid clicking on search engine ads to access banking sites; use bookmarks instead.
• Verify unsolicited calls by hanging up and dialing the institution's official number.
• Enable MFA and use complex, unique passwords.
• Limit personal information shared on social media.

For more information about ATO attacks:

• “Account Takeover Incidents are Rising: How to Protect Yourself” (Security.org)
• “Attackers Increase Use of HTTP Clients for Account Takeovers” (Infosecurity Magazine)
• “Financial fraud surge forcing ATO and AML strategy rethink” (Biometric Update)