There is a version of the China-nexus appliance targeting story that frames it as clever exploitation of a monitoring gap — threat actors noticing that EDR does not cover network appliances and targeting them accordingly. That framing is accurate as far as it goes, but it undersells the deliberateness of the investment.
Developing a BSD variant of BRICKSTORM is not an opportunistic adaptation. It requires understanding the FreeBSD process model, adapting persistence mechanisms to BSD-specific startup architectures, understanding which BSD-derivative operating systems run on which commercial appliances, and validating the implant against those targets. This is months of engineering work. The VerdantBamboo group did this because network appliances at the enterprise perimeter are strategic targets worth sustained investment — not because the gap was noticed and quickly exploited.
What “Strategic Target” Means in Practice
A persistent implant on a perimeter firewall or VPN gateway has access to capabilities that a Windows endpoint implant does not:
It sees all traffic traversing the device — including VPN authentication events, internal routing decisions, and in some configurations, decrypted traffic that the appliance processes. It can modify routing to redirect specific traffic. It can observe connection patterns that reveal the organisation’s internal network topology without conducting active scanning. It can passively capture credentials transmitted through the device.
None of this generates an EDR alert. The appliance’s operating system does not report process creation events to a SIEM (most perimeter appliances cannot forward this telemetry). The implant’s network traffic is indistinguishable from the legitimate management traffic the appliance generates. The enterprise’s threat detection programme has no visibility into any of it.
For an intelligence collection objective — which is the primary mission of state-sponsored threat actors — this is a near-ideal implantation point. The appliance persists (it is rarely reimaged or replaced), the access is stable (it does not require ongoing credential theft), and the visibility is broad (all organisational traffic traverses it).
The Detection Investment Required
Detecting appliance-targeting implants requires a different detection stack from the endpoint-focused monitoring that most enterprise security programmes have built.
Network traffic analysis — baselining the appliance’s own outbound traffic and detecting anomalies — is the primary detection surface. An implant that uses HTTPS C2 via legitimate TLS certificates (BRICKSTORM’s documented C2 mechanism) is difficult to detect through signature-based network monitoring. It requires behavioural baselining: the appliance’s management interface has never connected to this IP range before; this is unusual. Effective NTA for this use case requires historical baseline data and anomaly detection capability beyond what most SIEM deployments provide for network device traffic.
Offline forensic analysis — periodically pulling firmware images from critical perimeter devices and comparing against known-good baselines — is the most reliable detection method. It is also expensive: it requires a methodology for establishing the known-good baseline, operational procedures for taking appliances offline for imaging, and tooling for comparing binary images across complex operating system distributions. Most organisations do not have this capability and are not prioritising building it.
What Changes
What would change is an honest accounting of where the monitoring gap is and a willingness to invest in closing it. Not all organisations have the resources or threat profile to justify offline forensic analysis of perimeter appliances. But all organisations with significant internet-facing network infrastructure should:
Know what operating systems and firmware versions their perimeter appliances are running — currently, not from last quarter’s audit.
Have vendor threat intelligence feeds active for their perimeter device vendors, and a process for acting on those feeds within 24 hours for Critical advisories.
Have NTA capability that includes the management traffic of network appliances — not just the traffic through them, but the traffic from them.
The China-nexus appliance targeting trend has been visible in threat intelligence reporting for two years. The BRICKSTORM BSD variant is not a new development — it is a progression in a capability that has been tracked since UNC3886’s VMware and Fortinet campaigns in 2024. The organisations that will discover they were compromised via this vector will be the ones that did not update their monitoring to include the perimeter appliance blind spot.
The organisations that detect and respond to it early are the ones that decided the gap was worth addressing before they needed to.
Share this article