F5 Source Code Breach: Hunting UNC5221's BRICKSTORM with NetWitness

Written by Admin | Oct 31, 2025 4:00:00 AM

F5 Source Code Breach: Hunting UNC5221's BRICKSTORM with NetWitness®

Hey folks, Dave Glover here with some critical intel you need to act on right now. On October 15, 2025, F5 dropped a bombshell disclosure that's sending shockwaves through our industry—a nation-state threat actor, tracked as UNC5221 (China-nexus), maintained persistent access to F5's corporate network for over 12 months, exfiltrating BIG-IP source code and undisclosed vulnerability intelligence. CISA immediately issued Emergency Directive ED-26-01, and for good reason—this isn't just another breach, it's a strategic supply chain compromise with massive downstream implications.

If you're running F5 BIG-IP appliances (and let's be honest, who isn't?), you need to be threat hunting right now. This post will arm you with the knowledge and NetWitness queries to detect BRICKSTORM backdoor activity and related TTPs in your environment.

The Breach: What Happened

F5 discovered the intrusion on August 9, 2025, but evidence suggests UNC5221 had been inside since at least mid-2024.

The attackers exfiltrated:

  • Portions of BIG-IP source code across multiple modules (all BIG-IP products affected)
  • Information about undisclosed vulnerabilities
  • Engineering knowledge management system data

 

The stolen source code dramatically increases the risk of rapid zero-day discovery and weaponization. F5 has since released patches for over 20 vulnerabilities spanning BIG-IP (all modules), F5OS-A/C, and BIG-IP Next. Key CVEs include:

  • CVE-2025-53868 (BIG-IP all modules)
  • CVE-2025-61955 (F5OS-A; F5OS-C)
  • CVE-2025-60016 (BIG-IP all modules; BIG-IP Next SPK; BIG-IP Next CNF)
  • ...and 20+ more

Full vulnerability list available at: https://my .f5.com/manage/s/article/K000154696

Meet BRICKSTORM: The Appliance Whisperer

 UNC5221's weapon of choice is BRICKSTORM, a Go-based backdoor specifically engineered to compromise network appliances that don't support traditional EDR. Here's what makes it dangerous:

Technical Capabilities:

  • Statically-linked Go ELF binary (linux/amd64)—completely self-contained, no dependencies
  • HTTP/2 over TLS with WebSocket upgrade for persistent C2 tunnel
  • Yamux multiplexing—multiple logical streams over a single socket (legacy SPDY-inspired tech from 2009)
  • Built-in SOCKS proxy for TCP pivoting and lateral movement
  • Multipart/form-data exfiltration with base64/quoted-printable encoding and compression to blend with legitimate web traffic
  • No hardcoded domains or credentials - all supplied at runtime

Operational Security:

  • Average dwell time: 393 days
  • Minimal security telemetry generation
  • C2 domains never reused across victims
  • Masquerades as legitimate system processes (e.g., pg_update, vami-httpd, vmprotect)

Attack Lifecycle: How They Operate

  1. Initial Access: Exploitation of internet-exposed BIG-IP management interfaces (likely zero-days)
  2. Establish Foothold: Deploy BRICKSTORM on appliances (F5 BIG-IP, VMware vCenter/ESXi, network edge devices)
  3. Persistence: Modify systemd, init.d, or rc.local to auto-start backdoor on reboot
  4. Credential Harvesting: Deploy BRICKSTEAL (Java Servlet filter) on vCenter to capture credentials; Clone VMs of Domain Controllers, password vaults, SSO providers
  5. Lateral Movement: SSH to appliances using stolen credentials; SOCKS proxy from appliance management IPs
  6. Complete Mission: Exfiltrate emails via Microsoft Entra ID Enterprise Applications; Download source code repositories as ZIP archives

NetWitness Detection: Sample Queries to Hunt BRICKSTORM

Alright, enough theory—let's get to the good stuff. Here are NetWitness queries you can run right now to hunt for indicators of BRICKSTORM activity and UNC5221 TTPs in your environment.

  1. Hunt for Suspicious HTTP/2 + WebSocket Traffic from Appliances
    BRICKSTORM uses HTTP/2 negotiation via ALPN and upgrades connections to WebSocket for persistent C2. Appliance management IPs should rarely establish outbound HTTP/2 or WebSocket connections.

    # Detect HTTP/2 traffic from known appliance subnets
    ip.src = '<your_appliance_subnet>' && http.version = '2.0'

    # Detect WebSocket upgrade requests from appliances
    ip.src = '<your_appliance_subnet>' && http.header contains 'Upgrade: websocket'

    # Combine both for high-fidelity alert
    ip.src = '<your_appliance_subnet>' && (http.version = '2.0' || http.header contains 'Upgrade: websocket')

    Pro Tip: Create a meta key for your appliance management IPs (BIG-IP, vCenter, ESXi, VPN concentrators, firewalls) and substitute with your actual ranges.

  2. Detect Yamux Multiplexing Protocol Signatures
    BRICKSTORM uses Yamux (SPDY-inspired multiplexing) over TLS. While Yamux traffic is encrypted, you can look for patterns in connection behavior and TLS characteristics.

    # Look for persistent long-duration TLS sessions from appliances
    ip.src = '<your_appliance_subnet>' && service = 443 && session.duration > 3600 && packets > 1000

    # Detect TLS connections with HTTP/2 ALPN from appliances
    ip.src = '<your_appliance_subnet>' && ssl.alpn = 'h2'

    # Hunt for TLS sessions to non-standard ports (Yamux can run on any port)
    ip.src = '<your_appliance_subnet>' && service != 443 && (tls.version = '1.2' || tls.version = '1.3')


  3. Identify Appliances Communicating with External IPs (Not Vendor Domains)
    Appliances should only communicate with manufacturer domains for updates and telemetry. Any other outbound connections are highly suspicious.

    # Detect outbound connections from appliances NOT to F5/VMware/known vendors
    ip.src = '<your_appliance_subnet>' && direction = 'outbound' && !(alias.host contains 'f5.com' || alias.host contains 'vmware.com' || alias.host contains '<add_your_vendor_domains>')

    # Focus on HTTPS connections to unknown destinations
    ip.src = '<your_appliance_subnet>' && service = 443 && !(alias.host contains 'f5.com' || alias.host contains 'vmware.com')



  4. Hunt for DNS over HTTPS (DoH) from Appliances
    BRICKSTORM can use DNS over HTTPS (DoH) to evade detection. Appliances should never use DoH.

    # Detect DoH queries (usually to public resolvers)
    ip.src = '<your_appliance_subnet>' && (alias.host = 'dns.google' || alias.host = 'cloudflare-dns.com' || alias.host = 'dns.quad9.net' || url contains '/dns-query')

    # Broader hunt for HTTPS to known DoH providers
    ip.src =  ' && (ip.dst = '8.8.8.8' || ip.dst = '1.1.1.1' || ip.dst = '9.9.9.9') && service = 443



  5. Detect Windows Logon Events Sourced from Appliances (Type 3 Network Logons)
    UNC5221 uses compromised appliances to log into Windows systems via SMB/RDP. Appliances should rarely authenticate to Windows endpoints.

    # Hunt for SMB traffic from appliances to Windows servers
    ip.src = ' ' && service = 445 && ip.dst =  ' '

    # Detect RDP sessions initiated from appliances
    ip.src = ' ' && service = 3389

    # Look for Kerberos/NTLM authentication from appliances
    ip.src = '<your_appliance_subnet>' && (service = 88 || service = 135 || service = 139)

    Windows Event Correlation: Enrich with Windows Event Logs (Event ID 4624 Type 3) where source IP matches appliance management IPs.


  6. Hunt for Multipart/Form-Data Exfiltration
    BRICKSTORM   exfiltrates  data   using   multipart/form-data   POST   requests  with base64/quoted-printable encoding and compression to mimic legitimate web traffic.

    # Detect large multipart/form-data uploads from appliances
    ip.src = '<your_appliance_subnet>' && http.method = 'POST' && content.type = 'multipart/form-data' && bytes.dst > 1048576

    # Look for base64 patterns in POST bodies (may trigger on legitimate traffic)
    ip.src = '<your_appliance_subnet>' && http.method = 'POST' && payload contains 'base64'



  7. Detect SSH Enablement and New Local Account Creation on vCenter/ESXi
    UNC5221 frequently enables SSH on vSphere appliances and creates temporary local admin accounts.

    # Hunt for SSH connections TO vCenter/ESXi management IPs
    ip.dst = '<vcenter_esxi_management_ips>' && service = 22

    # Look for SSH from unexpected internal sources
    ip.dst = '<vcenter_esxi_management_ips>' && service = 22 && !(ip.src = '<authorized_jump_boxes>')

    Log Correlation: Check vCenter audit logs (/var/log/audit/sso-events/audit_events.log) for PrincipalManagement events creating/deleting local users and SystemConfiguration.BashShellAdministrators group modifications.



  8. Detect VM Cloning Activity on vCenter
    UNC5221 clones sensitive VMs (Domain Controllers, password vaults) to extract credentials offline without triggering EDR.

    # Hunt for SMB/vSphere API traffic patterns consistent with VM cloning
    ip.src = '<vcenter_management_ip>' && (service = 443 || service = 902) && session.size > 10485760

    Log Collection: Search vCenter VPXD logs for vim.event.VmBeingClonedEvent, vim.event.VmClonedEvent, and vim.event.VmRemovedEvent, filtering for VSPHERE.LOCAL\Administrator account during 01:00-10:00 UTC.



  9. Hunt for Commercial VPN/Proxy Usage
    UNC5221 uses commercial VPN services (PIA, NordVPN, Surfshark, VPN Unlimited, PrivadoVPN) and compromised SOHO routers for obfuscation.

    # Detect connections to known commercial VPN provider IP ranges
    (asn = '<PIA_ASN>' || asn = '<NordVPN_ASN>' || asn = '<Surfshark_ASN>') && (ip.src = '<your_internal_subnets>' || ip.dst = '<your_internal_subnets>')

    # Hunt for TLS connections to VPN provider domains
    alias.host contains 'privateinternetaccess' || alias.host contains 'nordvpn' || alias.host contains 'surfshark' || alias.host contains 'vpnunlimitedapp' || alias.host contains 'privadovpn'



  10. Detect Microsoft 365 Mailbox Access via Enterprise Applications
    UNC5221    creates    Entra    ID    Enterprise    Applications    with    mail.read    or full_access_as_app scopes to exfiltrate executive emails.

    # Hunt for unusual Graph API access patterns
    alias.host = 'graph.microsoft.com' && url contains '/mail' && http.method = 'GET'

    # Detect bulk email downloads
    alias.host = 'graph.microsoft.com' && url contains '/messages' && session.size > 10485760

    Microsoft 365 Log Correlation: Query Unified Audit Log or Sentinel OfficeActivity table for MailItemsAccessed events with Enterprise Application ClientID, focusing on source IPs from commercial VPN ranges.



  11. Baseline and Anomaly Detection: Appliance Outbound Traffic
    Create a baseline of normal appliance behavior and alert on deviations.

    # Baseline query: Map all outbound destinations from appliances
    ip.src = '<your_appliance_subnet>' && direction = 'outbound' aggregation: alias.host, ip.dst, service

    # Anomaly detection: Alert on NEW destinations never seen before
    ip.src = '<your_appliance_subnet>' && direction = 'outbound' && ! (alias.host = '<whitelisted_vendor_domains>')

    Implementation: Run baseline weekly, export results, and create exclusion lists. Alert on any NEW connections.



Indicators of Compromise (IOCs)

BRICKSTORM File Hashes (SHA-256)

  • 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 (Pg_update)
  • 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df (Listener/spclisten)
  • aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 (Vmprotect/vmp)

Note: UNC5221 never reuses malware samples or C2 domains across victims. Hash-based detection alone is insufficient - focus on TTP-based hunting.

Enablers of Compromise (EOCs): What Made this Possible

This is where I want to shift your thinking. Yes, we need to hunt for IOCs and detect active compromise, but let's talk about Enablers of Compromise - the underlying weaknesses that gave UNC5221 a 12-month vacation in F5's network.

Key EOCs:
  1. Internet-exposed appliance management interfaces (BIG-IP, vCenter, ESXi)
  2. Lack of centralized logging from appliances to SIEM
  3. No EDR capability on network appliances
  4. Poor appliance inventory management ("unknown unknowns")
  5. Weak network segmentation (appliances could reach Windows servers/internal apps)
  6. Insufficient monitoring of outbound traffic from management IPs
  7. Log log retention gaps (393-day average dwell time exceeded most log retention)

Forward-Thinking Defense:

  • Isolate management interfaces from the internet (VPN-only access)
  • Implement zero-trust network segmentation (appliances should NOT freely access Windows/internal networks)
  • Centralized appliance logs to NetWitness with extended retention
  • Deploy decoy credentials and honeypot appliances to detect lateral movement
  • Enforce Multi-Factor Authentication for all administrative access (including vCenter, ESXi, and BIG-IP)
  • Enable vSphere Lockdown Mode and restrict SSH to authorized jump boxes

Immediate Actions: What You Need to Do Right Now

  1. Inventory ALL appliances (F5 BIG-IP, vCenter, ESXi, firewalls, and VPN concentrators) - if it doesn't support EDR, it needs to be on this list
  2. Patch F5 devices immediately to the latest fixed release
  3. Remove public exposure of F5 management interfaces or restric to specific IP ranges
  4. Run  the NetWitness queries in this post against 12+ months of captured data (if retention allows)
  5. Review vCenter/ESXi audit logs for unauthorized VM cloning, SSH enablement, and local account creation
  6. Audit Microsoft 365 Enterprise Applications for suspicious mail.read/full_access_as_app permissions
  7. Deploy YARA rules against appliance backups and filesystems
  8. Forward appliance logs (syslog, VAMI, VPXD, and audit logs) to NetWitness for continuous monitoring

The Bigger Picture: Supply Chain Risk

This breach isn't just about F5—it's a wake-up call about the fragility of our supply chain. When a security vendor gets compromised and their source code stolen, the downstream impact cascades to every customer running those products. With over 600,000 internet-connected F5 devices globally, the attack surface is enormous.

UNC5221's targeting of legal services, SaaS providers, BPOs, and technology companies suggests objectives beyond simple espionage:

  • IP theft to fuel zero-day development
  • Access operations to establish pivot points into downstream customer environments
  • Strategic intelligence collection aligned with PRC economic interests

The fact they maintained access for over a year undetected should give every CISO and security engineer pause. Traditional signature-based defenses failed. EDR didn't exist on the compromised appliances. This is why we need TTP-based hunting, behavioral analytics, and a relentless focus on Enablers of Compromise.

Final Thoughts: Stay Vigilant

I know this is a heavy post, but the threat is real and active right now. UNC5221 is sophisticated, patient, and incredibly stealthy. They're not smash-and-grab criminals - they're nation-state operators playing the long game.

Your job is to make their life harder. Run these queries. Patch your systems. Lock down your appliances. Build detections around the TTPS, not just the IOCs. And most importantly, think forward - what conditions in your environment would enable an attacker to persist for 393 days? Fix those.

If you find something suspicious, don't hesitate to escalate and bring in forensics expertise. This is not the time for "wait and see".

Stay safe out there and keep those logs flowing.

Dave Glover

References
View full post