- Dell patched critical flaw in RecoverPoint for Virtual Machines caused by hardcoded credentials
- Exploited as a zero-day since mid-2024 by Chinese state-sponsored group UNC6201
- Attackers deployed new Grimbolt backdoor and used novel “Ghost NICs” technique for stealth and lateral movement
Chinese state-sponsored threat actors have been abusing a rather embarrassing vulnerability in a Dell product for nearly two years, experts have claimed.
In a security advisory, Dell said its RecoverPoint for Virtual Machines contained a hardcoded credential flaw.
RecoverPoint for Virtual Machines (RP4VM) is a data protection and disaster recovery solution designed for virtualized environments, primarily VMware vSphere and Microsoft Hyper-V. As it was being built, a developer left login credentials in the code, most likely to be able to quickly log in and test the product.
Limited active exploitation
Usually, developers would sift through the code before shipping the product and remove all traces of hardcoded credentials. However, sometimes they are forgotten, or left unchecked, leaving a gaping hole for cybercriminals to exploit.
Now, Dell says that all versions prior to 6.0.3.1 HF1 contained hardcoded credentials - a critical vulnerability because “an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence.”
To make matters worse, security researchers from Google and Mandiant have warned Dell of “limited active exploitation” of the flaw. The two companies are saying that the bug was being exploited, as a zero-day, since mid-2024, meaning they were using it for more than a year and a half.
The group apparently exploiting this bug is tracked as UNC6201. This is not a widely recognized group, such as APT41 or Silk Typhoon, but they are equally as dangerous. In fact, the researchers said the group deployed multiple malware payloads, including a brand-new backdoor called Grimbolt, built in C# using a new compilation technique that made it faster and harder to reverse-engineer than its previous tools.
The researchers also said UNC6201 used new techniques for lateral movement and stealth:
"UNC6201 uses temporary virtual network ports (AKA "Ghost NICs") to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations," Mandiant told BleepingComputer. "Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods."
Via BleepingComputer
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.