What happens when an attacker slips beneath the operating system you trust and into the invisible machinery that runs your virtual machines? That is the dilemma Stuart Carrera lays out in a new defender’s guide built on BRICKSTORM research from the Google Threat Intelligence Group (GTIG): adversaries who gain a foothold at the virtualization layer can operate where traditional endpoint tools cannot see them.
What GTIG found: BRICKSTORM focuses on vSphere’s control plane
GTIG’s BRICKSTORM research, summarized and expanded in the guide written by Stuart Carrera, targets the VMware vSphere ecosystem — specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. The operations establish persistence at the virtualization layer, an environment that sits beneath guest operating systems and outside the protection of standard endpoint detection and response (EDR) agents.
That architectural placement creates a visibility gap: these control planes do not support standard EDR agents and have historically received less security focus than traditional endpoints. As a result, activities at the virtualization layer can evade common security controls and remain undetected for extended periods.
How these intrusions work — architecture and identity, not product flaws
The guide emphasizes that BRICKSTORM-style activity is not the result of a security vulnerability in vendors’ products or infrastructure. Instead, the intrusions rely on broader systemic weaknesses: weak security architecture and identity design, a lack of host-based configuration enforcement, and limited visibility within the virtualization layer. By exploiting those gaps, threat actors can establish long-term persistence and gain administrative control over the entire vSphere environment.
The report includes a depiction of this methodology as the BRICKSTORM vSphere attack chain, illustrating how control-plane compromise leads to sustained, high-privilege access.
Defender actions: infrastructure-centric hardening and automation
Carrera’s guide frames a response that shifts focus from guest-centric defenses to infrastructure-centric controls. It lays out essential hardening strategies and mitigating controls aimed at securing VCSA and ESXi assets, and it emphasizes enforcing configuration and identity best practices at the host level.
To help automate those recommendations, the guide points to a tool released by Mandiant: a vCenter Hardening Script that enforces security configurations directly at the Photon Linux layer of the appliance. According to the guide, implementing these recommendations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats that would otherwise evade endpoint protections.
Why it matters: different stakeholders, shared exposure
- Technologists: The guide directs administrators to harden control-plane components and to adopt host-based configuration enforcement so that visibility and enforcement extend to the virtualization layer.
- Security teams: Relying solely on traditional EDR and guest-based controls leaves a blind spot; the report argues defenders must pair those tools with infrastructure-level controls.
- Adversaries: Threat actors benefit from the historical underinvestment in control-plane visibility and from identity and configuration weaknesses that allow long-term persistence and administrative control.
Those perspectives converge on a simple point made repeatedly in the guide: without deliberate, infrastructure-centric hardening, the virtualization layer can become a permanent foothold that evades conventional defenses.
BRICKSTORM’s lesson is straightforward and uncomfortable — the place attackers most value is often the place defenders most neglect. Will organizations reallocate attention and tooling to the control plane before adversaries make persistent virtualization-layer access routine?
https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide/
