Enterprise Security in the Cloud: BRICKSTORM, VPN Weak Links, and the New Identity Perimeter

From December 17–24, 2025, enterprise security stories clustered around a single theme: attackers are systematically exploiting the seams between cloud, virtualized infrastructure, and identity controls. Updated government advisories on BRICKSTORM, a state-backed backdoor targeting VMware-based environments, underscored how virtual infrastructure has become a high‑value espionage beachhead—especially for public‑sector and critical‑infrastructure operators running mixed on‑prem and cloud stacks.[1][4] In parallel, new warnings about active exploitation of legacy Fortinet FortiOS SSL VPN authentication flaws highlighted how long‑tail technical debt in remote access continues to undercut otherwise modern zero‑trust aspirations.[8]

At the same time, forward‑looking analysis pointed to 2026 as the year when machine identity sprawl and AI‑driven services overwhelm traditional identity governance, with security leaders urged to rethink how they discover, bind, and monitor non‑human identities across multicloud estates. This lands against a backdrop of increasingly sophisticated MFA‑bypass tradecraft: researchers documented growing abuse of one‑time codes and MFA fatigue schemes to hijack corporate accounts, proving that “MFA enabled” is no longer synonymous with “MFA effective.”

For enterprises, these developments are not isolated curiosities. They illuminate a maturing attacker playbook tailored to cloud‑first, hybrid environments: compromise the virtualization layer for maximum reach; ride under‑patched VPNs and identity systems into core assets; and weaponize gaps in machine‑identity management to linger undetected. Security teams that still treat cloud, OT, and identity as separate domains are discovering that adversaries do not share this mental model. The week’s news offers a preview of 2026’s security agenda: close the identity gap, modernize remote access, instrument virtualized infrastructure like a crown jewel, and assume your MFA controls will be contested.

What Happened: A Week of Virtualization, VPN, and Identity Shockwaves

Government and industry updates around BRICKSTORM dominated the enterprise‑security newsflow. CISA, the NSA, and the Canadian Centre for Cyber Security released an updated malware analysis report on the BRICKSTORM backdoor on December 4, 2025, adding new indicators of compromise and detection signatures.[1][4] BRICKSTORM is used by China‑backed actors to target VMware vSphere and Windows systems, enabling theft of virtual machine snapshots, creation of rogue VMs, and long‑term persistence inside government and IT‑service environments.[1][4] Mid‑December roundups emphasized that BRICKSTORM remains an active, strategic risk for critical‑infrastructure operators and cloud‑hosting providers.[1][2][4]

On the remote‑access front, Fortinet issued fresh guidance about active exploitation of an older FortiOS SSL VPN vulnerability, CVE‑2020‑12812, which allows adversaries to bypass two‑factor authentication in specific LDAP configurations.[8] Attackers are leveraging the flaw to gain unauthorized access to enterprise networks, particularly where devices remain unpatched or MFA is misconfigured.[8] The advisory serves as a reminder that legacy VPN concentrators remain a favorite initial‑access vector, even years after patches ship.

Identity and access management also featured prominently. A Help Net Security analysis outlined five identity‑driven shifts expected to reshape enterprise security in 2026, warning that machine identity sprawl—particularly for AI workloads and service accounts—will hit a tipping point as organizations lose visibility into how keys, certificates, and tokens are created and used across multicloud environments. In parallel, CSO Online reported that attackers are increasingly abusing one‑time passcodes and MFA flows to hack corporate accounts, using phishing pages, adversary‑in‑the‑middle proxies, and social‑engineering to trick users into sharing time‑based codes or approving malicious prompts.

More broadly, December threat‑roundup reports from vendors such as Bitdefender cataloged continued evolution in the ransomware ecosystem, including recruitment of insiders and targeting of VPN, MFA, and cloud access mechanisms to shortcut more traditional intrusion paths.[5] Together, these developments painted a picture of adversaries that are both patient—cultivating long‑term footholds in virtualization layers—and opportunistic, rapidly exploiting neglected VPN appliances and brittle identity implementations.

Why It Matters: Enterprise Security’s New Fault Lines

These stories matter because they illuminate where current enterprise‑security architectures are structurally weakest: at the intersection of virtualization, remote access, and identity.

First, BRICKSTORM demonstrates how attacks have moved “below” the operating system into the virtualization stack. By stealing VM snapshots and spinning up rogue virtual machines, state‑backed actors can exfiltrate credentials, map networks, and stage further attacks without touching traditional endpoints.[1][4] For cloud‑and‑VMware‑heavy enterprises, this means the hypervisor and management plane now represent a single point of catastrophic compromise. Security programs that focus on endpoints and SaaS while under‑instrumenting virtual infrastructure risk missing precisely the activities BRICKSTORM is designed to enable.

Second, the Fortinet SSL VPN exploitation wave is a case study in security‑debt drag. CVE‑2020‑12812 is not new, yet the fact that it is still being exploited in 2025 indicates patching gaps, brittle change‑management processes, and over‑reliance on perimeter VPNs instead of modern zero‑trust network access.[8] For many organizations, these appliances are the connective tissue between data centers, branch offices, and cloud VPCs—making them high‑value targets whose failure can nullify otherwise sound segmentation.

Third, identity‑focused reporting shows that simply “adding MFA” is insufficient. Attackers are explicitly designing phishing kits and adversary‑in‑the‑middle infrastructures to capture and replay one‑time codes, while social‑engineering tactics coerce users into approving fraudulent login attempts. The Help Net Security forecast pushes this further, arguing that machine identities—API keys, service accounts, workload certificates—are multiplying faster than enterprises can track them, especially in AI‑heavy and cloud‑native environments. That creates a shadow perimeter of poorly governed non‑human accounts with powerful privileges and little monitoring.

For CISOs, the implication is clear: traditional control‑centric thinking (firewalls, VPNs, endpoint agents) must give way to architecture‑centric resilience. Visibility and governance over virtual infrastructure, remote‑access paths, and all forms of identity now defines the practical boundary of the enterprise.

Expert Take: How Security Leaders Should Interpret the Signals

Experts reading the week’s developments see less a series of isolated advisories and more an integrated roadmap of adversary priorities—and, by extension, where enterprise defenders must focus next.

The updated BRICKSTORM analysis from CISA and partners effectively elevates virtualization security to a first‑class strategic concern.[1][4] For years, many organizations treated VMware clusters and private‑cloud control planes as “infrastructure plumbing” managed largely by IT operations. The fact that state‑sponsored actors are investing in bespoke backdoors for these platforms, with capabilities tuned for VM snapshot theft and stealth persistence, is a strong signal that this layer must now be treated like a crown‑jewel application, with dedicated logging, threat hunting, and hardening.[1][4]

On VPNs, security practitioners emphasize that ongoing exploitation of Fortinet’s FortiOS SSL VPN flaw is emblematic of a broader lifecycle problem: enterprises deploy remote‑access solutions as long‑lived infrastructure but often lack programmatic decommissioning or rigorous configuration revamps.[8] From an expert standpoint, the lesson is not merely “patch faster” but “design remote access for rotation”—short‑lived credentials, device posture checks, and an assumed cadence of control replacement rather than indefinite reuse.

Identity specialists, meanwhile, read the Help Net Security and CSO Online pieces as confirmation that identity is now the de facto perimeter—and that it is fragmenting. With machine identities proliferating across containers, serverless functions, and AI agents, and with human MFA protections under active attack, experts argue that enterprises must adopt continuous, risk‑aware authentication and authorization, not static role assignments and binary MFA checks. This includes stronger phishing‑resistant authenticators (like security keys and passkeys), identity threat detection and response (ITDR), and automated discovery of non‑human identities.

Finally, vendor threat‑debriefs continue to show attackers experimenting with insider recruitment to bypass technical controls altogether.[5] For seasoned practitioners, this reinforces a long‑standing principle: if an architecture relies too heavily on any single control—whether VPN, MFA, or hypervisor isolation—adversaries will eventually route around it. Defense‑in‑depth must be reinterpreted for the cloud era as independent layers around identity, infrastructure, and data, not just stacked network appliances.

Real‑World Impact: From Policy Docs to SOC Dashboards

Translating this week’s developments into concrete enterprise impact requires looking at how policies, tooling, and day‑to‑day operations will need to change.

In many large organizations, the BRICKSTORM advisory will trigger immediate asset inventories and configuration reviews for VMware vSphere and related virtualization management systems.[1][4] Security teams are likely to push for tighter role‑based access controls on hypervisors, routine review of snapshot practices, and enabling of detailed logging and telemetry exports into SIEM and EDR platforms. For managed‑service providers and government contractors, those changes may become contractual obligations, as customers point directly to CISA and NSA guidance.[1][4]

Fortinet’s warning about active exploitation of its SSL VPN flaw is likely to show up as urgent tickets in SOC and infrastructure backlogs: patch or decommission vulnerable devices, validate MFA configurations, and ensure that no dormant accounts or weak LDAP integrations linger on these gateways.[8] Organizations further along the zero‑trust journey will use this as additional ammunition to accelerate migration from legacy VPNs toward identity‑aware proxies and per‑application access brokers, reducing reliance on a few high‑risk chokepoints.

On the identity side, security engineering teams will be pushed to expand their lens beyond human SSO. The Help Net Security piece will land with platform and DevOps leaders, who are being asked to catalog all machine identities: cloud IAM roles, service principals, Kubernetes service accounts, API keys, and certificates used by workloads. This is likely to drive investment in machine‑identity management platforms and tighter collaboration between security, cloud, and developer teams to standardize how non‑human identities are issued, rotated, and revoked.

Meanwhile, reports on one‑time‑code abuse and MFA bypass will filter into user‑awareness programs and identity roadmaps, prompting shifts toward phishing‑resistant factors and push‑notification hygiene (for example, training users never to approve unexpected prompts). SOC playbooks will also adapt; suspicious MFA patterns—multiple prompts, geolocation anomalies, or impossible travel combined with code usage—will be elevated from “noise” to high‑priority investigations.

In aggregate, the week’s news nudges enterprises toward a more cloud‑native, identity‑centric defensive posture, where the virtualization layer is monitored like production workloads, VPNs are treated as transitional, and identity telemetry is as central to detection as network logs once were.

Analysis & Implications: The Convergence of Cloud, OT, and Identity Risk

Looking across these developments, a few deeper trends emerge for enterprise technology and cloud services.

First, the convergence of IT, cloud, and OT is pulling operational technology into the same threat envelope as traditional enterprise systems. December analyses highlighted that BRICKSTORM and related campaigns are not confined to generic data centers; they target public‑sector and critical‑infrastructure operators whose environments now blend VMware clusters, cloud workloads, and OT interfaces.[1][4] As industrial and critical‑infrastructure organizations adopt cloud‑based monitoring, management, and analytics, the virtualization and identity layers increasingly straddle both corporate IT and plant‑floor systems. This means a compromise in a VMware management cluster or VPN gateway can have downstream operational impacts, from water utilities to energy grids.

Second, identity is fragmenting in two directions: attackers are eroding the reliability of human MFA, while machine identities are expanding beyond human comprehension. CSO Online’s coverage of one‑time‑code abuse shows how adversaries are systematically turning MFA into another phishable secret. Simultaneously, Help Net Security’s outlook for 2026 underscores that organizations are losing track of where and how machine identities—especially those tied to AI workloads and automated agents—are issued and used. In a cloud‑native world, every microservice, function, and pipeline often has its own set of credentials; without centralized governance, this becomes an unsupervised, ever‑growing attack surface.

Third, virtualization and cloud management planes are now primary targets, not collateral ones. BRICKSTORM’s design—focused on VM snapshots, hidden VMs, and stealthy persistence—suggests that well‑resourced adversaries see more value in owning the hypervisor than individual endpoints.[1][4] This aligns with parallel trends in public cloud, where threat actors increasingly pursue IAM role abuse or cloud‑console takeover rather than direct server compromise. For enterprises, this implies that “protect the control plane” must become an explicit security objective, with dedicated controls, telemetry, and red‑team exercises.

Fourth, legacy infrastructure remains the easiest way in. The Fortinet SSL VPN case could be read as an indictment of slow patching, but the deeper issue is architectural: organizations are still concentrating access through a small number of long‑lived, internet‑exposed appliances that are difficult to replace quickly.[8] Even as zero‑trust strategies gain board‑level attention, operational reliance on legacy VPNs, shared admin accounts, and static firewall rules persists. This creates a two‑speed security posture: cloud‑native, identity‑forward models at the edge, and brittle, perimeter‑heavy models at the core.

Strategically, these forces point toward a few medium‑term implications:

• Identity‑centric security budgets will rise, especially for ITDR, phishing‑resistant MFA, and machine‑identity management platforms, as organizations recognize that their practical perimeter is wherever identities are issued and used.
• Virtualization and cloud‑control‑plane security will professionalize, with dedicated teams, formal SLOs, and integration into enterprise threat‑hunting programs, driven in part by regulatory and customer pressure referencing CISA/NSA advisories.[1][4]
• Zero‑trust adoption will bifurcate: leading organizations will accelerate away from VPNs toward granular, app‑level access, while laggards will increasingly be over‑represented among breach victims tied to legacy appliances.[8]
• Security operations will become more telemetry‑heavy and context‑aware, fusing data from MFA providers, IAM platforms, hypervisors, and cloud control planes to detect subtle patterns of persistence and lateral movement that older, perimeter‑centric SOCs would miss.[1][5]

Ultimately, enterprises that internalize these lessons will treat security less as a bolt‑on set of controls and more as an emergent property of how they design, deploy, and operate cloud and virtualized infrastructure.

Conclusion

The week of December 17–24, 2025, offered a clear preview of enterprise security’s near future. BRICKSTORM’s focus on VMware environments, active exploitation of aging Fortinet SSL VPN flaws, and growing concern about both machine‑identity sprawl and MFA bypass attacks collectively highlight a security landscape in which virtualization layers and identity systems define organizational risk.[1][4][8]

For technology and security leaders, the path forward is demanding but navigable. It requires elevating virtualization and cloud control planes to “crown jewel” status, aggressively retiring or isolating legacy VPN infrastructure, and building a unified identity‑security program that spans humans, services, and machines. It also means retooling SOC practices to assume that MFA, VPNs, and hypervisor boundaries will be challenged—and to detect and respond accordingly.

Enterprises that act on these signals now will be better positioned for the turbulence of 2026, when AI‑driven workloads, expanding OT‑cloud convergence, and increasingly capable adversaries further stress‑test today’s architectures. Those that do not may find that the weakest link in their hybrid‑cloud stack is not a missed patch or a misconfigured rule, but an outdated assumption about where their true perimeter begins and ends.

References

[1] Understanding BRICKSTORM: A Sophisticated Backdoor Threat Targeting VMware and Windows Environments. Netsecurity.com, December 4, 2025. https://www.netsecurity.com/understanding-brickstorm-a-sophisticated-backdoor-threat-targeting-vmware-and-windows-environments/

[2] Security Advisory Regarding BRICKSTORM. Hurricane Labs, December 5, 2025. https://hurricanelabs.com/blog/brickstorm-malware-vmware-vsphere-emergent-threat-bulletin/

[3] SafeBreach Coverage for Updated CISA AR25-338A BRICKSTORM Backdoor. SafeBreach, December 2025. https://www.safebreach.com/blog/safebreach-coverage-for-updated-cisa-ar25-338a-brickstorm-backdoor/

[4] Malware Analysis Report: BRICKSTORM Backdoor. CISA/NSA/Canadian Centre for Cyber Security, December 4, 2025. https://media.defense.gov/2025/Dec/04/2003834878/-1/-1/0/MALWARE-ANALYSIS-REPORT-BRICKSTORM-BACKDOOR.PDF

[5] Bitdefender Threat Debrief | December 2025. Bitdefender, December 2025. https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-threat-debrief-december-2025

[8] Fortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Flaw. The Hacker News, December 19, 2025. https://www.thehackernews.com/2025/12/fortinet-warns-of-active-exploitation.html

Five identity-driven shifts reshaping enterprise security in 2026. Help Net Security, December 24, 2025. https://www.helpnetsecurity.com/2025/12/24/five-identity-driven-shifts-reshaping-enterprise-security-in-2026/

One-time codes used to hack corporate accounts. CSO Online, December 22, 2025. https://www.csoonline.com/article/4111120/one-time-codes-used-to-hack-corporate-accounts.html