Summary
The China-nexus threat cluster known as UNC5221 is actively exploiting F5 BIG-IP appliances following a confirmed breach of F5’s internal network that resulted in the theft of BIG-IP source code and vulnerability data, according to a new report from Resecurity. UNC5221 utilizes a custom-built, highly sophisticated toolkit centered on the BRICKSTORM backdoor to exploit F5 BIG-IP devices.
BRICKSTORM is a statically linked Go ELF executable specifically engineered to be dependency-free for seamless deployment on resource-limited edge appliances. Its primary objective is stealth and persistence, achieved by establishing a covert Command and Control (C2) tunnel: this involves configuring outbound TLS that first negotiates HTTP/2 and then upgrades the connection to WebSocket, making the traffic closely mimic legitimate web communication. Crucially, the backdoor leverages the Yamux library to multiplex multiple logical data streams over this single established WebSocket/HTTP/2 connection, significantly reducing the network footprint and allowing the actor to manage concurrent activities like data exfiltration and network pivoting without initiating multiple, easily detectable connections.
Once the C2 is secured, UNC5221 uses a SOCKS-style proxy over the same multiplexed channel to pivot from the BIG-IP device’s management IP into the victim’s internal network; data exfiltration is accomplished using the multipart/form-data standard combined with base64/quoted-printable encoding and compression to further blend into ordinary web traffic. The attack relies on small deployment scripts for staging and persistence, along with a separate servlet filter web component used for harvesting credentials post-foothold, and the absence of hardcoded C2 parameters suggests the actors use a zero-day or weakly secured services to dynamically deliver C2 instructions during the initial exploitation phase.
Indicators of Compromise
Resecuity has released indicators of compromise associated with UNC5221 activity, and can be found below:
SHA-256:
90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
Filename: Pg_update
Classification: BRICKSTORM (Go ELF backdoor)
Notes: System/update helper to blend in.
SHA-256:
2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
Filename: Listener
Classification: BRICKSTORM (Go ELF backdoor)
Notes: Listener component; used for C2/socket handling.
SHA-256: aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
Filename: Vmprotect
Classification: BRICKSTORM (Go ELF backdoor)
Notes: VMProtect Version
