This is your Red Alert: China's Daily Cyber Moves podcast.Listeners, Ting here! Today’s cyber weather report is red alert—China’s hacking hustle against U.S. targets just hit peak intensity, and if your job involves blinking lights and login screens, you need to strap in. Forget last year’s script: The ante has been upped by hacker group UNC5221, fresh out of the China playbook, writing new chapters in digital espionage specifically targeted at legal, SaaS, and tech firms.So, what did UNC5221 pull? According to Mandiant and Google’s Threat Intelligence Group, since March 2025 they’ve been running a stealth campaign with a modular backdoor called BRICKSTORM—think spy toolkit meets ninja, built for Linux and BSD appliances and pivoting into VMware vCenter and ESXi hosts like they own the place. They’re exploiting zero-day vulnerabilities, sliding in before there’s even a patch, and the average time these baddies lurk undetected is a whopping 393 days. You heard right—over a year invisible in your network’s attic.Yesterday, CISA and the FBI dropped an emergency directive after a new set of attacks targeting Cisco ASA firewalls. Chris Butera from CISA said the campaign is widespread, and agencies had until midnight tonight to scan their perimeter for compromised Cisco gear, especially since these firewalls, if hijacked, let attackers intercept, reroute, and manipulate internal traffic. Palo Alto Networks chimed in, warning that Chinese attackers had gotten “more sophisticated and focused” on U.S. targets this year.Timeline break: These attackers first got noticed in May when suspicious activity surfaced on government networks. The hackers bypassed standard controls, used stolen admin credentials to maneuver laterally, and, in one case, deployed a sneaky Java Servlet filter named BRICKSTEAL onto vCenter, intercepting HTTP logins and cloning mailboxes using Microsoft Entra ID Enterprise Apps. Their focus? Not random mailbox spam—key individuals tied to U.S. economic interests, developers, sysadmins, the people whose email is gold to Beijing’s economic and espionage priorities.Meanwhile, their malware, like BRICKSTORM and the web shell SLAYSTYLE, persists by tweaking system startup files and leveraging SOCKS proxies for covert tunnel access. They even use fancy tricks like delayed beaconing and disguise their C2 domains to evade detection. Cisco also flagged both CVE-2025-20333 and CVE-2025-20362 as critical vulnerabilities exploited by what they’re calling the ArcaneDoor campaign—yep, also China. Attackers managed to latch onto discontinued firewall models, so if your gear says ASA 5500-X on the box, it’s a replace-or-die moment. The UK’s NCSC published technical details, urging urgent investigation and total password, certificate, and key rotation after the update.Escalation? If agencies fumble detection or patching, imagine attackers not just exfiltrating data but pivoting deep into critical infrastructure, financial networks, or even government supply chains. A single missed patch could turn into a cascading breach—with even more advanced malware lingering and harvesting credentials every reboot.So, what do defenders need to do right now? Hunt for BRICKSTORM indicators using the latest Sigma rules, scan all Cisco ASA and Firepower devices per ED 25-03, rotate every credential, break out MFA everywhere, and double-check those Entra ID permission scopes like your VPN depends on it—because it probably does.That’s the speedrun through this week’s cyber gauntlet. Tomorrow’s update? Let’s just hope someone patched their ASA firewall tonight.Thanks for tuning in, listeners! Don’t forget to subscribe for more cyber stories and if carnivorous malware gives you chills, recommend us to a sysadmin you love. This has been a quiet please production, for more check out quiet please dot ai.For more http://www.quietplease.aiGet the best deals https://amzn.to/3ODvOtaThis content was created in partnership and with the help of Artificial Intelligence AI

Ver todos los episodios