VMware vCenter

VMware vCenter is the centralised management platform for VMware virtualisation infrastructure and a primary target for the BRICKSTORM backdoor deployed by UNC5221, per Mandiant's M-Trends 2026 report. A companion servlet filter called BRICKSTEAL captures HTTP Basic Authentication credentials submitted to vCenter, while domain-controller virtual machines are cloned from the ESXi layer for offline credential extraction. BRICKSTORM operates with a 393-day average dwell time across observed intrusions.

vCenter Server is the management plane for all VMware vSphere environments, providing oversight of every ESXi host and virtual machine in an infrastructure. Administrative access to vCenter is equivalent to root access on every guest VM and hypervisor in the estate. BRICKSTORM's targeting of vCenter reflects the same control-plane logic as Handala's Intune attack on Stryker: maximum-privilege access achieved via a single control-plane credential, with blast radius across the entire virtualised infrastructure.

For enterprise virtualisation and security teams, vCenter's inclusion in the BRICKSTORM campaign creates specific audit obligations: HTTP Basic Authentication on vCenter should be disabled or restricted; vCenter logs must be ingested into the SIEM with tamper-evidence; and domain-controller VMs should be identified and protected against live cloning. CISA and NCSC have both cited these controls in CNI advisory guidance.