- Dell fixed a critical flaw in RecoverPoint for virtual machines caused by encrypted credentials
- Exploited as zero-day from mid-2024 by Chinese state-sponsored group UNC6201
- The attackers implemented a new Grimbolt backdoor and used the novel “ghost NIC” technique for stealth and lateral movement.
Experts claim that Chinese state-sponsored threat actors have been abusing a rather embarrassing vulnerability in a Dell product for almost two years.
In a security advisory, Dell said its RecoverPoint for virtual machines contained an encrypted credential flaw.
RecoverPoint for Virtual Machines (RP4VM) is a data protection and disaster recovery solution designed for virtualized environments, primarily VMware vSphere and Microsoft Hyper-V. While it was being created, a developer left login credentials in the code, most likely so he could quickly log in and test the product.
Limited active exploitation
Developers typically examine the code before shipping the product and remove all traces of encrypted credentials. However, they are sometimes forgotten or left unchecked, leaving a huge gap that cybercriminals can exploit.
Now, Dell says that all versions prior to 6.0.3.1 HF1 contained encrypted credentials, a critical vulnerability because “an unauthenticated remote attacker with knowledge of the encrypted credential could exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence.”
To make matters worse, security researchers from Google and Mandiant warned Dell about “limited active exploitation” of the flaw. The two companies claim that the bug was being exploited, as a zero-day, since mid-2024, meaning they were using it for more than a year and a half.
The group that apparently exploits this bug has the name UNC6201. This is not a widely recognized group, like APT41 or Silk Typhoon, but they are equally dangerous. In fact, researchers said the group deployed multiple malware payloads, including a new backdoor called Grimbolt, built in C# using a new compilation technique that made reverse engineering faster and more difficult than their previous tools.
The researchers also said that UNC6201 used new stealth and lateral movement techniques:
“UNC6201 uses temporary virtual network ports (also known as “ghost NICs”) to transition from compromised virtual machines to internal or SaaS environments, a new technique that Mandiant had not previously observed in its investigations,” Mandiant said. beepcomputer. “Consistent with BRICKSTORM’s previous campaign, UNC6201 continues to target devices that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods.”
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
