A newly reported cyber espionage campaign has linked the China-nexus threat group VerdantBamboo (also tracked as WARP PANDA and UNC5221) to the compromise of a pfSense firewall. According to researchers, the activity highlights the growing focus on edge network devices as primary attack targets.
According to CyberPress research, this intrusion is part of a broader operation. In this campaign, VerdantBamboo maintains long-term access to victim environments by targeting network appliances and infrastructure systems. These systems often lack strong endpoint security controls, which makes them attractive to attackers.
In this case, the attackers reportedly used BRICKSTORM malware. This custom backdoor helps establish persistent access on compromised systems. In addition, researchers have observed it across multiple environments, including firewalls, storage appliances, and Linux-based systems.
Security researchers also noted that the compromised pfSense firewall may serve as a strategic pivot point. For example, attackers can use it to inspect internal traffic and maintain persistence. Furthermore, it can support lateral movement across connected systems while avoiding detection.
This activity aligns with broader patterns in the VerdantBamboo campaign. In many cases, the group maintains undetected access for long periods. In some incidents, persistence has lasted more than a year. Typically, this occurs through weak points in managed service provider (MSP) environments and internet-facing infrastructure.
The findings highlight an important shift in attacker behavior. Increasingly, threat actors target firewalls and network appliances directly. As a result, these systems now serve as entry points rather than just defensive barriers. Once compromised, they provide deep visibility and control over network traffic.
To reduce risk, organizations should take the following steps:
- Apply firmware and security updates regularly
- Avoid exposing administrative interfaces to the internet
- Enable multi-factor authentication where possible
- Monitor logs for unusual or suspicious activity
- Review firewall configurations and access policies
Ultimately, this campaign reinforces a key security message. Protecting perimeter infrastructure is now just as important as securing endpoints.
Key Takeaways
- VerdantBamboo (WARP PANDA / UNC5221) targeted a pfSense firewall
- The campaign uses BRICKSTORM malware for persistent access
- Attackers use compromised firewalls as pivot points inside networks
- Some intrusions may persist for over a year
- Edge devices are increasingly primary attack targets
Source: CyberPress – VerdantBamboo breaches pfSense firewall
https://cyberpress.org/verdantbamboo-breaches-pfsense-firewall/
No responses yet