Sign up to save your podcasts
Or
Share Beijing's Stealthy Backdoors: VMware, React Hacks Fuel Cyber Cold War
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Beijing's Stealthy Backdoors: VMware, React Hacks Fuel Cyber Cold War
This is your Cyber Sentinel: Beijing Watch podcast.
Hey listeners, Ting here with your Cyber Sentinel: Beijing Watch, so let’s jack straight into what China’s hackers have been up to this week.
The headline move is Beijing’s long-game in U.S. critical infrastructure. CISA and NSA are warning that People’s Republic of China operators are living quietly inside VMware vCenter and virtualized control planes using a backdoor called BrickStorm, part of a broader Warp Panda campaign aimed at legal, tech, manufacturing, and even government-linked networks in North America. CrowdStrike and ITPro describe BrickStorm as stealthy, blending in as legitimate vCenter processes, tunneling via SFTP, pivoting with the privileged vpxuser account, and even spinning up unregistered VMs just long enough to do damage, then shutting them down. That’s not smash-and-grab ransomware; that’s pre-positioning for disruption when things get geopolitical.
Tactically, that means the traditional “watch your endpoints” mindset is obsolete. The hypervisor and identity layer are the new crown jewels. According to CISA’s joint advisory, in one case the Chinese actors sat from April 2024 to September 2025, pulled keys from Active Directory Federation Services, and essentially owned the authentication fabric. If you’re running critical infrastructure, legal, or cloud services, your to‑do list is brutal but clear: aggressively patch and segment vCenter, yank public exposure of management consoles, rotate and lock down federation keys, and actively hunt for weird scheduled tasks, dormant accounts waking up at 3 a.m., and admin accounts that nobody wants to own.
Now pivot to something much louder: React2Shell. Amazon’s AWS security teams report that multiple China state‑nexus groups, including Earth Lamia and Jackpot Panda, weaponized the React2Shell vulnerability, CVE‑2025‑55182, within hours of public disclosure. Using their MadPot honeypot network, Amazon saw Chinese infrastructure spraying proof‑of‑concept exploits at React 19 and Next.js 15–16 targets worldwide: finance, logistics, retail, IT providers, universities, and governments. TechRadar and GovInfoSecurity add that these same clusters are chaining in other N‑day bugs like the NUUO camera CVE‑2025‑1338, running broad, multi‑CVE campaigns, and even manually debugging failed attempts against live targets. That’s a factory model: see vuln, ingest PoC, automate scans, iterate until something pops.
Here, tactically, speed is everything. If you’re shipping React or Next.js with App Router, the only acceptable patch window is “yesterday.” Pair that with strict WAF rules, rate limiting, and anomaly detection tuned for weird RSC requests. AWS notes that many attempts are noisy, but the noise is the point: failed bulk spraying covers for the one hand‑crafted intrusion that lands persistence.
Strategically, zoom out and you see the same Chinese doctrine that Fox News opinion pieces and years of DOJ indictments keep hammering: cyber as economic warfare and battlefield prep. IP theft, data exfiltration, and control-plane access are feeding Beijing’s push in AI, quantum, and advanced weapons. Amazon recently flagged a trend they call cyber‑enabled kinetic targeting, where network reconnaissance directly informs real‑world operations. That should make every operator of ports, pipelines, power grids, and logistics hubs sit up straight.
So, what should U.S. defenders actually do beyond doomscrolling? First, treat PRC cyber as a whole‑of‑society problem, not just a government issue: tighter collaboration between CISA, NSA, the private sector, and universities; mandatory incident sharing for critical sectors; and incentives for rapid patching and zero trust adoption. Second, push visibility up‑stack: telemetry from hypervisors, identity providers, and CI/CD pipelines, not just laptops and web servers. Third, prepare for the day the “quiet” access stops being quiet: run joint tabletop exercises with law enforcement, critical infrastructure operators, and even local governments that assume a BrickStorm‑style foothold is activated during a physical crisis.
I’m Ting, thanks for tuning in to Cyber Sentinel: Beijing Watch. Don’t forget to subscribe so you don’t miss next week’s drill‑down into the next wave of China‑linked exploits. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Hey listeners, Ting here with your Cyber Sentinel: Beijing Watch, so let’s jack straight into what China’s hackers have been up to this week.
The headline move is Beijing’s long-game in U.S. critical infrastructure. CISA and NSA are warning that People’s Republic of China operators are living quietly inside VMware vCenter and virtualized control planes using a backdoor called BrickStorm, part of a broader Warp Panda campaign aimed at legal, tech, manufacturing, and even government-linked networks in North America. CrowdStrike and ITPro describe BrickStorm as stealthy, blending in as legitimate vCenter processes, tunneling via SFTP, pivoting with the privileged vpxuser account, and even spinning up unregistered VMs just long enough to do damage, then shutting them down. That’s not smash-and-grab ransomware; that’s pre-positioning for disruption when things get geopolitical.
Tactically, that means the traditional “watch your endpoints” mindset is obsolete. The hypervisor and identity layer are the new crown jewels. According to CISA’s joint advisory, in one case the Chinese actors sat from April 2024 to September 2025, pulled keys from Active Directory Federation Services, and essentially owned the authentication fabric. If you’re running critical infrastructure, legal, or cloud services, your to‑do list is brutal but clear: aggressively patch and segment vCenter, yank public exposure of management consoles, rotate and lock down federation keys, and actively hunt for weird scheduled tasks, dormant accounts waking up at 3 a.m., and admin accounts that nobody wants to own.
Now pivot to something much louder: React2Shell. Amazon’s AWS security teams report that multiple China state‑nexus groups, including Earth Lamia and Jackpot Panda, weaponized the React2Shell vulnerability, CVE‑2025‑55182, within hours of public disclosure. Using their MadPot honeypot network, Amazon saw Chinese infrastructure spraying proof‑of‑concept exploits at React 19 and Next.js 15–16 targets worldwide: finance, logistics, retail, IT providers, universities, and governments. TechRadar and GovInfoSecurity add that these same clusters are chaining in other N‑day bugs like the NUUO camera CVE‑2025‑1338, running broad, multi‑CVE campaigns, and even manually debugging failed attempts against live targets. That’s a factory model: see vuln, ingest PoC, automate scans, iterate until something pops.
Here, tactically, speed is everything. If you’re shipping React or Next.js with App Router, the only acceptable patch window is “yesterday.” Pair that with strict WAF rules, rate limiting, and anomaly detection tuned for weird RSC requests. AWS notes that many attempts are noisy, but the noise is the point: failed bulk spraying covers for the one hand‑crafted intrusion that lands persistence.
Strategically, zoom out and you see the same Chinese doctrine that Fox News opinion pieces and years of DOJ indictments keep hammering: cyber as economic warfare and battlefield prep. IP theft, data exfiltration, and control-plane access are feeding Beijing’s push in AI, quantum, and advanced weapons. Amazon recently flagged a trend they call cyber‑enabled kinetic targeting, where network reconnaissance directly informs real‑world operations. That should make every operator of ports, pipelines, power grids, and logistics hubs sit up straight.
So, what should U.S. defenders actually do beyond doomscrolling? First, treat PRC cyber as a whole‑of‑society problem, not just a government issue: tighter collaboration between CISA, NSA, the private sector, and universities; mandatory incident sharing for critical sectors; and incentives for rapid patching and zero trust adoption. Second, push visibility up‑stack: telemetry from hypervisors, identity providers, and CI/CD pipelines, not just laptops and web servers. Third, prepare for the day the “quiet” access stops being quiet: run joint tabletop exercises with law enforcement, critical infrastructure operators, and even local governments that assume a BrickStorm‑style foothold is activated during a physical crisis.
I’m Ting, thanks for tuning in to Cyber Sentinel: Beijing Watch. Don’t forget to subscribe so you don’t miss next week’s drill‑down into the next wave of China‑linked exploits. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
View all episodes
By Inception Point AiThis is your Cyber Sentinel: Beijing Watch podcast.
Hey listeners, Ting here with your Cyber Sentinel: Beijing Watch, so let’s jack straight into what China’s hackers have been up to this week.
The headline move is Beijing’s long-game in U.S. critical infrastructure. CISA and NSA are warning that People’s Republic of China operators are living quietly inside VMware vCenter and virtualized control planes using a backdoor called BrickStorm, part of a broader Warp Panda campaign aimed at legal, tech, manufacturing, and even government-linked networks in North America. CrowdStrike and ITPro describe BrickStorm as stealthy, blending in as legitimate vCenter processes, tunneling via SFTP, pivoting with the privileged vpxuser account, and even spinning up unregistered VMs just long enough to do damage, then shutting them down. That’s not smash-and-grab ransomware; that’s pre-positioning for disruption when things get geopolitical.
Tactically, that means the traditional “watch your endpoints” mindset is obsolete. The hypervisor and identity layer are the new crown jewels. According to CISA’s joint advisory, in one case the Chinese actors sat from April 2024 to September 2025, pulled keys from Active Directory Federation Services, and essentially owned the authentication fabric. If you’re running critical infrastructure, legal, or cloud services, your to‑do list is brutal but clear: aggressively patch and segment vCenter, yank public exposure of management consoles, rotate and lock down federation keys, and actively hunt for weird scheduled tasks, dormant accounts waking up at 3 a.m., and admin accounts that nobody wants to own.
Now pivot to something much louder: React2Shell. Amazon’s AWS security teams report that multiple China state‑nexus groups, including Earth Lamia and Jackpot Panda, weaponized the React2Shell vulnerability, CVE‑2025‑55182, within hours of public disclosure. Using their MadPot honeypot network, Amazon saw Chinese infrastructure spraying proof‑of‑concept exploits at React 19 and Next.js 15–16 targets worldwide: finance, logistics, retail, IT providers, universities, and governments. TechRadar and GovInfoSecurity add that these same clusters are chaining in other N‑day bugs like the NUUO camera CVE‑2025‑1338, running broad, multi‑CVE campaigns, and even manually debugging failed attempts against live targets. That’s a factory model: see vuln, ingest PoC, automate scans, iterate until something pops.
Here, tactically, speed is everything. If you’re shipping React or Next.js with App Router, the only acceptable patch window is “yesterday.” Pair that with strict WAF rules, rate limiting, and anomaly detection tuned for weird RSC requests. AWS notes that many attempts are noisy, but the noise is the point: failed bulk spraying covers for the one hand‑crafted intrusion that lands persistence.
Strategically, zoom out and you see the same Chinese doctrine that Fox News opinion pieces and years of DOJ indictments keep hammering: cyber as economic warfare and battlefield prep. IP theft, data exfiltration, and control-plane access are feeding Beijing’s push in AI, quantum, and advanced weapons. Amazon recently flagged a trend they call cyber‑enabled kinetic targeting, where network reconnaissance directly informs real‑world operations. That should make every operator of ports, pipelines, power grids, and logistics hubs sit up straight.
So, what should U.S. defenders actually do beyond doomscrolling? First, treat PRC cyber as a whole‑of‑society problem, not just a government issue: tighter collaboration between CISA, NSA, the private sector, and universities; mandatory incident sharing for critical sectors; and incentives for rapid patching and zero trust adoption. Second, push visibility up‑stack: telemetry from hypervisors, identity providers, and CI/CD pipelines, not just laptops and web servers. Third, prepare for the day the “quiet” access stops being quiet: run joint tabletop exercises with law enforcement, critical infrastructure operators, and even local governments that assume a BrickStorm‑style foothold is activated during a physical crisis.
I’m Ting, thanks for tuning in to Cyber Sentinel: Beijing Watch. Don’t forget to subscribe so you don’t miss next week’s drill‑down into the next wave of China‑linked exploits. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI
Hey listeners, Ting here with your Cyber Sentinel: Beijing Watch, so let’s jack straight into what China’s hackers have been up to this week.
The headline move is Beijing’s long-game in U.S. critical infrastructure. CISA and NSA are warning that People’s Republic of China operators are living quietly inside VMware vCenter and virtualized control planes using a backdoor called BrickStorm, part of a broader Warp Panda campaign aimed at legal, tech, manufacturing, and even government-linked networks in North America. CrowdStrike and ITPro describe BrickStorm as stealthy, blending in as legitimate vCenter processes, tunneling via SFTP, pivoting with the privileged vpxuser account, and even spinning up unregistered VMs just long enough to do damage, then shutting them down. That’s not smash-and-grab ransomware; that’s pre-positioning for disruption when things get geopolitical.
Tactically, that means the traditional “watch your endpoints” mindset is obsolete. The hypervisor and identity layer are the new crown jewels. According to CISA’s joint advisory, in one case the Chinese actors sat from April 2024 to September 2025, pulled keys from Active Directory Federation Services, and essentially owned the authentication fabric. If you’re running critical infrastructure, legal, or cloud services, your to‑do list is brutal but clear: aggressively patch and segment vCenter, yank public exposure of management consoles, rotate and lock down federation keys, and actively hunt for weird scheduled tasks, dormant accounts waking up at 3 a.m., and admin accounts that nobody wants to own.
Now pivot to something much louder: React2Shell. Amazon’s AWS security teams report that multiple China state‑nexus groups, including Earth Lamia and Jackpot Panda, weaponized the React2Shell vulnerability, CVE‑2025‑55182, within hours of public disclosure. Using their MadPot honeypot network, Amazon saw Chinese infrastructure spraying proof‑of‑concept exploits at React 19 and Next.js 15–16 targets worldwide: finance, logistics, retail, IT providers, universities, and governments. TechRadar and GovInfoSecurity add that these same clusters are chaining in other N‑day bugs like the NUUO camera CVE‑2025‑1338, running broad, multi‑CVE campaigns, and even manually debugging failed attempts against live targets. That’s a factory model: see vuln, ingest PoC, automate scans, iterate until something pops.
Here, tactically, speed is everything. If you’re shipping React or Next.js with App Router, the only acceptable patch window is “yesterday.” Pair that with strict WAF rules, rate limiting, and anomaly detection tuned for weird RSC requests. AWS notes that many attempts are noisy, but the noise is the point: failed bulk spraying covers for the one hand‑crafted intrusion that lands persistence.
Strategically, zoom out and you see the same Chinese doctrine that Fox News opinion pieces and years of DOJ indictments keep hammering: cyber as economic warfare and battlefield prep. IP theft, data exfiltration, and control-plane access are feeding Beijing’s push in AI, quantum, and advanced weapons. Amazon recently flagged a trend they call cyber‑enabled kinetic targeting, where network reconnaissance directly informs real‑world operations. That should make every operator of ports, pipelines, power grids, and logistics hubs sit up straight.
So, what should U.S. defenders actually do beyond doomscrolling? First, treat PRC cyber as a whole‑of‑society problem, not just a government issue: tighter collaboration between CISA, NSA, the private sector, and universities; mandatory incident sharing for critical sectors; and incentives for rapid patching and zero trust adoption. Second, push visibility up‑stack: telemetry from hypervisors, identity providers, and CI/CD pipelines, not just laptops and web servers. Third, prepare for the day the “quiet” access stops being quiet: run joint tabletop exercises with law enforcement, critical infrastructure operators, and even local governments that assume a BrickStorm‑style foothold is activated during a physical crisis.
I’m Ting, thanks for tuning in to Cyber Sentinel: Beijing Watch. Don’t forget to subscribe so you don’t miss next week’s drill‑down into the next wave of China‑linked exploits. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
This content was created in partnership and with the help of Artificial Intelligence AI