Transcript
There are a lot of urgent security advisories going around every day, but when you find one that gets talked about frequently and references core infrastructure components in your environment, it's definitely time to take notice. But how will you know if your organization may be facing one of these critical, active threats? Recently, Rubrik Zero Labs issued a high-priority advisory for Brickstorm because our systems have already flagged files in our customers' vCenter backups that match its indicators of compromise. This signifies a high probability of compromise by the espionage actor UNC-5221, as detailed in public reporting from Google's Threat Intelligence team. This backdoor is extremely stealthy, designed to evade detection by targeting systems like vCenter appliances that typically don't run endpoint protection tools and masquerading as legitimate processes. The most dangerous part? This backdoor could be living in your backups, waiting to be restored and reopen the attacker's foothold. Today, I'm going to show you how you can use the Rubrik Security Cloud to identify this threat, contain it, and put yourself on the road to recovering vCenter to a state prior to the existence of the threat. First, we need to find every instance of this threat across our recovery points. From the Rubrik dashboard, we'll navigate to Data Threat Analytics, and then select the Hunts tab. Here, we click Start Threat Hunt, and select Advanced Threat Hunt, which will give us a more thorough investigation. And then we select our vCenter servers. Now for the most important part, adding the indicators of compromise from the guidance document. Google provided nine YAR rules. It's important to add these individually, but we'll use the magic of video editing to speed up this process. Google also provided three file hash values, which we can add alongside the YAR rules. Fortunately, we can paste in all three hashes as a comma-delimited group. After naming this hunt, we can define how far back we want to scan. These advanced threat hunts can take some time, so we'll start by searching back one week. We can always go back further with another hunt later. We'll also set some limits to help it run faster. For Brickstorm, we'll want to search for all IOCs, but can limit the size of files, essentially skipping over anything over 1.5 megabytes. We'll also explicitly include all files. And now we can start our threat hunt. The hunt is complete, and as you can see, we have one object that matched our IOCs, confirming the threat is present in the backups of one of our vCenter servers. Our immediate priority is containment. We cannot allow these infected backups to be used for any type of restore. We must quarantine all snapshots taken within this time range. Right from this results screen, I can select an infected snapshot and apply a quarantine. This action immediately locks the snapshot, preventing anyone without permission from accidentally restoring the attacker's backdoor into our production environment. Now that we've contained the threat, we need to recover. We'll export it as a new virtual machine. And by selecting the non-quarantine and non-anomalous, we can see that it's picking the most recent version that was not infected. With RBAC permissions in place, there is less risk of accidentally reintroducing the backdoor. There are a number of variables that need to be considered for how to recover and how much data you can afford to lose. In some cases, you may need to restore individual files from a more recent snapshot into a clean install or older recovery. We recommend following Broadcom's documentation, working with Rubrik support and our ransomware response team, and any other incident response teams your company works with. Fortunately, Rubrik will also quarantine at the file level the affected files. Whichever recovery path you take, Rubrik tried to make it easy to get back to clean. By using Rubrik Advanced Threat Hunting, we were able to find a highly elusive threat inside our backups, quarantine the infected snapshots, and most importantly, identify a guaranteed clean snapshot to enable a fast and safe recovery. This is how Rubrik turns your backup data from a safety net into a strategic asset for cyber resilience. Thanks for watching. For more information, please visit rubrik.com.
