VerdantBamboo Exploits pfSense Firewall in Long-Running Cyberattack
VerdantBamboo (also tracked as WARP PANDA and UNC5221) compromised a pfSense firewall and deployed a FreeBSD variant of the BRICKSTORM backdoor, granting the threat actor persistent access to a managed service provider’s (MSP) network. The breach was uncovered during a Volexity incident response investigation, which linked the attack to a broader campaign targeting edge devices with limited security monitoring.
The investigation began after suspicious traffic was detected from a Linux-based Egnyte Storage Sync virtual appliance, which was communicating with attacker-controlled infrastructure behind Cloudflare IP addresses. Volexity later confirmed the appliance was infected with BRICKSTORM, a remote access Trojan (RAT) used by VerdantBamboo. The attackers leveraged valid credentials and malware proxy features to access the victim’s Microsoft 365 environment, blending into normal traffic and bypassing Conditional Access rules.
The compromise had persisted for at least 18 months. After an initial cleanup, VerdantBamboo re-entered the network using stolen administrative credentials, enabled web SSL VPN access on the firewall, and deployed additional malware on a Synology NAS device.
Further analysis of the MSP’s infrastructure revealed the pfSense firewall had been compromised, with a BSD-compatible BRICKSTORM implant (named blocklist) deployed in the /usr/local/libexec/ipsec/ directory. Persistence was achieved by modifying /etc/rc.d/cron to execute the implant automatically.
BRICKSTORM, primarily written in Golang (with Rust variants observed), supports remote command execution, SOCKS5 proxying, and file system access via a web interface, enabling lateral movement and traffic obfuscation. Volexity also identified two additional malware families: AGENTPSD (a Python reverse shell) and PLENET/GRIMBOLT (a .NET Native AOT backdoor for Linux systems).
The campaign highlights how advanced threat actors target firewalls, storage appliances, VPNs, and NAS devices systems often lacking robust endpoint detection and response (EDR) coverage.
Source: https://cyberpress.org/verdantbamboo-breaches-pfsense-firewall/
Netgate cybersecurity rating report: https://www.rankiteo.com/company/netgate
Egnyte cybersecurity rating report: https://www.rankiteo.com/company/egnyte
"id": "NETEGN1780907044",
"linkid": "netgate, egnyte",
"type": "Cyber Attack",
"date": "12/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Managed Service Provider (MSP)'}],
'attack_vector': 'Compromised pfSense firewall, valid credentials, malware '
'deployment',
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'description': 'VerdantBamboo (also tracked as WARP PANDA and UNC5221) '
'compromised a pfSense firewall and deployed a FreeBSD variant '
'of the BRICKSTORM backdoor, granting persistent access to a '
'managed service provider’s (MSP) network. The breach was '
'uncovered during a Volexity incident response investigation, '
'which linked the attack to a broader campaign targeting edge '
'devices with limited security monitoring. The attackers '
'leveraged valid credentials and malware proxy features to '
'access the victim’s Microsoft 365 environment, blending into '
'normal traffic and bypassing Conditional Access rules. The '
'compromise persisted for at least 18 months, with re-entry '
'achieved using stolen administrative credentials and '
'additional malware deployed on a Synology NAS device.',
'impact': {'data_compromised': True,
'operational_impact': 'Persistent unauthorized access, lateral '
'movement, traffic obfuscation',
'systems_affected': ['pfSense firewall',
'Linux-based Egnyte Storage Sync virtual '
'appliance',
'Synology NAS device',
'Microsoft 365 environment']},
'initial_access_broker': {'backdoors_established': ['BRICKSTORM',
'AGENTPSD',
'PLENET/GRIMBOLT'],
'entry_point': 'pfSense firewall, Linux-based '
'Egnyte Storage Sync virtual '
'appliance',
'high_value_targets': ['Microsoft 365 environment']},
'investigation_status': 'Completed (Volexity investigation)',
'lessons_learned': 'Advanced threat actors target edge devices (firewalls, '
'storage appliances, VPNs, NAS devices) with limited EDR '
'coverage. Persistent access can be maintained for '
'extended periods using valid credentials and malware like '
'BRICKSTORM.',
'motivation': 'Cyber espionage, persistent network access, data exfiltration',
'post_incident_analysis': {'corrective_actions': 'Cleanup of malware, '
'credential rotation, '
'enhanced monitoring of edge '
'devices, deployment of EDR '
'solutions',
'root_causes': 'Compromised pfSense firewall, use '
'of valid credentials, lack of '
'robust EDR on edge devices, '
'persistent malware deployment '
'(BRICKSTORM)'},
'ransomware': {'data_encryption': True, 'data_exfiltration': True},
'recommendations': 'Enhance monitoring of edge devices, implement robust EDR '
'solutions, enforce multi-factor authentication (MFA), and '
'conduct regular credential audits to prevent unauthorized '
'access.',
'references': [{'source': 'Volexity Incident Response Investigation'}],
'response': {'incident_response_plan_activated': True,
'third_party_assistance': 'Volexity incident response '
'investigation'},
'threat_actor': 'VerdantBamboo (WARP PANDA, UNC5221)',
'title': 'VerdantBamboo Exploits pfSense Firewall in Long-Running Cyberattack',
'type': 'Cyber Espionage, Persistent Access, Data Exfiltration'}