Why is BRICKSTORM particularly difficult to detect in VMware environments?

BRICKSTORM is designed to evade detection by targeting vCenter appliances that typically don't run endpoint protection tools and masquerading as legitimate processes. This makes it extremely stealthy and allows it to persist undetected in infrastructure components that are often blind spots for traditional security tools.

How does Rubrik prevent accidentally restoring infected backups?

Rubrik enables immediate quarantine of infected snapshots through RBAC-controlled actions, locking them to prevent restoration. The system automatically identifies non-quarantined, non-anomalous recovery points and can quarantine threats at both the snapshot level and file level, ensuring only clean data is restored.

Hunting BRICKSTORM Backdoor in VMware vCenter Backups

Name: Hunting BRICKSTORM Backdoor in VMware vCenter Backups
Uploaded: 2026-05-11T18:05:30-04:00
Duration: 4 min 24 s
Description: Is your VMware environment secure? A sophisticated backdoor called BRICKSTORM, used by espionage actor UNC5221, could be hiding in your vCenter backups right now. Restoring from a compromised snapshot means letting the attackers right back in. But what...

Rubrik

05/11/2026

0 (0%)

Report Like Favorite

TL;DR

BRICKSTORM backdoor targets VMware vCenter appliances and can persist in backup snapshots, creating reinfection risk during recovery operations if compromised backups are restored.
Rubrik Security Cloud enables proactive threat hunting across backup repositories using YARA rules and file hashes, scanning historical recovery points to identify infected snapshots before restoration.
Infected snapshots can be immediately quarantined through RBAC-controlled actions, preventing accidental restoration while identifying the most recent clean recovery point for safe restoration operations.

Summary

This demonstration addresses the BRICKSTORM backdoor threat targeting VMware vCenter environments, showing how Rubrik Security Cloud enables proactive threat detection within backup data. The video walks through the complete workflow for identifying compromised vCenter backups using YARA rules and file hash indicators of compromise provided by Google's Threat Intelligence team. BRICKSTORM, associated with espionage actor UNC5221, is particularly dangerous because it targets infrastructure components that typically lack endpoint protection and can persist in backup snapshots, creating a reinfection risk during recovery operations. The demo illustrates how Rubrik's Advanced Threat Hunting capability scans historical recovery points, quarantines infected snapshots to prevent accidental restoration, and identifies clean recovery points for safe restoration. This approach transforms backup repositories from passive storage into active security assets, enabling organizations to detect threats that evade traditional security tools and recover to verified clean states. The workflow emphasizes containment through snapshot quarantine and strategic recovery planning in coordination with incident response teams and vendor guidance.

Chapters

0:00 - BRICKSTORM Threat Overview
1:11 - Initiating Advanced Threat Hunt
1:33 - Adding Indicators of Compromise
2:25 - Quarantining Infected Snapshots
3:01 - Clean Recovery Strategy

Key Quotes

0:20 "Recently, Rubrik Zero Labs issued a high-priority advisory for Brickstorm because our systems have already flagged files in our customers' vCenter backups that match its indicators of compromise."
0:54 "The most dangerous part? This backdoor could be living in your backups, waiting to be restored and reopen the attacker's foothold."
4:08 "This is how Rubrik turns your backup data from a safety net into a strategic asset for cyber resilience."

Categories:

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

05/12/2026

01:00 PM

05/12/2026

Transforming Perceptions of AI Risks and Threats through Data Lineage Insights

https://www.truthinit.com/index.php/channel/1895/transforming-perceptions-of-ai-risks-and-threats-through-data-lineage-insights/
05/12/2026

11:30 PM

05/12/2026

Implementing Effective Strategies for Active Directory Security and Data Protection

https://www.truthinit.com/index.php/channel/1888/implementing-effective-strategies-for-active-directory-security-and-data-protection/
05/13/2026

01:00 AM

05/13/2026

Transforming the Black Box: Revealing AI Risks and Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1890/transforming-the-black-box-revealing-ai-risks-and-threats-through-data-lineage/
05/13/2026

05:00 AM

05/13/2026

Transforming Data Lineage: Revealing AI Risks and Hidden Threats

https://www.truthinit.com/index.php/channel/1894/transforming-data-lineage-revealing-ai-risks-and-hidden-threats/
05/19/2026

01:00 PM

05/19/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Deployment Phases

https://www.truthinit.com/index.php/channel/1936/establishing-a-robust-ai-governance-framework-for-genai-throughout-deployment-phases/
05/20/2026

08:00 AM

05/20/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Its Lifecycle

https://www.truthinit.com/index.php/channel/1937/establishing-a-robust-ai-governance-framework-for-genai-throughout-its-lifecycle/
05/20/2026

10:00 PM

05/20/2026

APAC: Establishing an AI Governance Framework for GenAI Throughout the Deployment Process

https://www.truthinit.com/index.php/channel/1953/establishing-an-ai-governance-framework-for-genai-throughout-the-deployment-process/
05/21/2026

11:00 AM

05/21/2026

The Autonomous Era: Orchestrating a Resilient Enterprise

https://www.truthinit.com/index.php/channel/1372/the-autonomous-era-orchestrating-a-resilient-enterprise/
05/27/2026

04:00 AM

05/27/2026

Rivoluziona i rischi dell'AI in opportunità con Netskope AI Security

https://www.truthinit.com/index.php/channel/1925/rivoluziona-i-rischi-dellai-in-opportunità-con-netskope-ai-security/
05/27/2026

10:00 AM

05/27/2026

Harnessing AI: Transitioning from Illusion to Purposeful Mastery

https://www.truthinit.com/index.php/channel/1924/harnessing-ai-transitioning-from-illusion-to-purposeful-mastery/
05/28/2026

01:00 PM

05/28/2026

AI in the Fast Lane: Effectively Managing AI Security for Small Teams

https://www.truthinit.com/index.php/channel/1951/ai-in-the-fast-lane-effectively-managing-ai-security-for-small-teams/
06/02/2026

01:00 PM

06/02/2026

Spring of Satori: Delving into Recent Findings and the 2026 Threat Landscape

https://www.truthinit.com/index.php/channel/1930/spring-of-satori-delving-into-recent-findings-and-the-2026-threat-landscape/
06/04/2026

02:00 AM

06/04/2026

Mastering the Unseen: Managing Shadow AI and Agentic MCP Traffic

https://www.truthinit.com/index.php/channel/1948/mastering-the-unseen-managing-shadow-ai-and-agentic-mcp-traffic/
06/16/2026

07:00 AM

06/16/2026

Transforming Data Risk into Actionable Priorities: What to Address First

https://www.truthinit.com/index.php/channel/1952/transforming-data-risk-into-actionable-priorities-what-to-address-first/