Securing VMware vSphere Against BRICKSTORM: A Step-by-Step Hardening Guide

Introduction

Recent research from Google Threat Intelligence Group (GTIG) has unveiled a sophisticated campaign named BRICKSTORM that directly targets virtualized environments, specifically the VMware vSphere ecosystem. Attackers achieve persistence at the virtualization layer, operating below the guest OS where traditional security tools like EDR are ineffective. This guide provides a structured approach to hardening your vCenter Server Appliance (VCSA) and ESXi hosts against such threats. By following these steps, you can transform your virtualization layer into a fortified, monitored environment.

What You Need

• Access to vCenter Server Appliance (VCSA) with administrative privileges
• ESXi hosts managed by the VCSA
• The Mandiant vCenter Hardening Script (optional but recommended)
• Basic understanding of Photon Linux command line and vSphere concepts
• Appropriate change management approval for production changes
• Backup of VCSA configuration and current state
• An active VMware support contract for patching

Step-by-Step Hardening Guide

Step 1: Understand the BRICKSTORM Attack Chain

Review the attack flow documented by GTIG: attackers exploit weak identity designs, lack of configuration enforcement, and limited visibility in the virtualization layer. They compromise VCSA first (often via stolen credentials or weak authentication), then pivot to ESXi hosts, and ultimately gain administrative control over all VMs. Recognizing this pattern helps prioritize defenses.

Step 2: Assess Current vSphere Security Posture

Perform an inventory of your vSphere environment:

• Check VCSA version and patch level – ensure it is up-to-date.
• Review current authentication methods (e.g., vCenter Single Sign-On, LDAP, AD integration).
• Audit user permissions and roles – remove overly permissive accounts.
• Verify that logging is enabled and forwarded to a SIEM.
• Document any existing hardening measures.

Step 3: Harden the vCenter Server Appliance (OS Layer)

The VCSA runs on a Photon Linux OS. Default configurations are insufficient for Tier-0 workloads. Use the following measures:

• Apply the Mandiant vCenter Hardening Script: This script automates configurations at the Photon Linux layer. Download it from Mandiant's official repository. Run the script with administrative privileges on the VCSA.
• Manually configure if script cannot be used:
  • Disable unnecessary services (e.g., unused web services).
  • Harden SSH access: use key-based authentication, change default port, disable root login.
  • Configure firewall rules – restrict inbound traffic to only required ports (443, 902, 903).
  • Enable auditing with auditd and forward logs to a centralized server.
  • Apply OS-level security patches regularly.

Step 4: Implement Strong Identity and Access Controls

Attackers often exploit weak authentication. Mitigate by:

• Enforcing multi-factor authentication (MFA) for all vCenter administrative access, especially via web browser and API.
• Using role-based access control (RBAC) with the principle of least privilege. Avoid assigning administrator rights to service accounts.
• Regularly reviewing and revoking unused accounts.
• Integrating with a privileged access management (PAM) solution for credential rotation.

Step 5: Enable Comprehensive Logging and Monitoring

The virtualization layer lacks standard endpoint agents. Therefore, enable at a minimum:

• vCenter Events and Tasks: Forward to syslog or SIEM.
• ESXi Host Logs: Configure syslog on each ESXi host (use vCenter to centralize).
• Photon OS Logs: Monitor /var/log/messages, authentication logs, and kernel logs.
• Audit Trails: Use the vSphere API to poll for configuration changes.
• Set up alerts for suspicious activities like unauthorized login attempts, privilege escalations, or unusual network connections from VCSA.

Step 6: Harden ESXi Hosts

ESXi is the final target after VCSA compromise. Harden each host:

• Lockdown mode: Enable 'Lockdown Mode' in vCenter to prevent root SSH access.
• Remove unnecessary services (e.g., Shell, SSH, if not needed for management).
• Use host profiles to enforce consistent security settings across all hosts.
• Configure the built-in firewall – restrict management traffic to specific subnets.
• Apply the ESXi Security Configuration Guide from VMware.

Step 7: Regularly Audit and Update Configurations

Hardening is an ongoing process. Schedule periodic reviews:

• Quarterly audits of vSphere permissions and firewall rules.
• Monthly patch updates for VCSA and ESXi (consider using vSphere Update Manager).
• Annual penetration testing of the virtualization layer.
• Stay informed about new threats like BRICKSTORM – subscribe to VMware security advisories and GTIG reports.

Using the Mandiant vCenter Hardening Script

The script enforces configurations at the Photon Linux layer, such as disabling unused services, hardening SSH, and enabling logging. Download it from Mandiant's GitHub. Follow the script's documentation for execution. Always test in a non-production environment first.

Tips for Success

• Understand that BRICKSTORM leverages weak design, not vulnerabilities. Strong identity controls and proper configuration are your best defenses.
• Automate where possible. Use the Mandiant script as a starting point and integrate hardening into your CI/CD pipeline.
• Monitor the control plane continuously. Without EDR, rely on robust logging and anomaly detection.
• Engage with the security community. Follow GTIG and Mandiant for updated threat intelligence.
• Document all changes. Maintain a baseline configuration to quickly detect deviations.
• Train administrators on the unique risks of the virtualization layer and how to respond to alerts.