VerdantBamboo Exploits pfSense Firewall in Long-Running Cyberattack VerdantBamboo (also tracked as WARP PANDA and UNC5221) compromised a pfSense firewall and deployed a FreeBSD variant of the BRICKSTORM backdoor, granting the threat actor persistent access to a managed service provider’s (MSP) network. The breach was uncovered during a Volexity incident response investigation, which linked the attack to a broader campaign targeting edge devices with limited security monitoring. The investigation began after suspicious traffic was detected from a Linux-based Egnyte Storage Sync virtual appliance, which was communicating with attacker-controlled infrastructure behind Cloudflare IP addresses. Volexity later confirmed the appliance was infected with BRICKSTORM, a remote access Trojan (RAT) used by VerdantBamboo. The attackers leveraged valid credentials and malware proxy features to access the victim’s Microsoft 365 environment, blending into normal traffic and bypassing Conditional Access rules. The compromise had persisted for at least 18 months. After an initial cleanup, VerdantBamboo re-entered the network using stolen administrative credentials, enabled web SSL VPN access on the firewall, and deployed additional malware on a Synology NAS device. Further analysis of the MSP’s infrastructure revealed the pfSense firewall had been compromised, with a BSD-compatible BRICKSTORM implant (named blocklist) deployed in the /usr/local/libexec/ipsec/ directory. Persistence was achieved by modifying /etc/rc.d/cron to execute the implant automatically. BRICKSTORM, primarily written in Golang (with Rust variants observed), supports remote command execution, SOCKS5 proxying, and file system access via a web interface, enabling lateral movement and traffic obfuscation. Volexity also identified two additional malware families: AGENTPSD (a Python reverse shell) and PLENET/GRIMBOLT (a .NET Native AOT backdoor for Linux systems). The campaign highlights how advanced threat actors target firewalls, storage appliances, VPNs, and NAS devices systems often lacking robust endpoint detection and response (EDR) coverage.