- Dell fixed a critical flaw in RecoverPoint for Virtual Machines caused by hardcoded credentials
- Operated as a zero-day since mid-2024 by the Chinese state-sponsored UNC6201 group
- The attackers deployed a new Grimbolt backdoor and used a new “ghost network cards” technique for stealth and lateral movement.
Chinese state-sponsored threat actors have been exploiting a rather embarrassing vulnerability in a Dell product for nearly two years, experts have claimed.
In a security advisory, Dell said its RecoverPoint for Virtual Machines contained a hardcoded credential flaw.
RecoverPoint for Virtual Machines (RP4VM) is a data protection and disaster recovery solution designed for virtualized environments, primarily VMware vSphere and Microsoft Hyper-V. When building it, a developer left login information in the code, presumably so they could quickly log in and test the product.
Limited active exploitation
Usually, developers would go through the code before shipping the product and remove all traces of the hardcoded credentials. However, they are sometimes forgotten or left unattended, leaving a gaping hole for cybercriminals to exploit.
Now, Dell claims that all versions prior to 6.0.3.1 HF1 contained hardcoded credentials – a critical vulnerability because “an unauthenticated, remote attacker with knowledge of hardcoded credentials could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence.”
To make matters worse, security researchers from Google and Mandiant warned Dell against “limited active exploitation” of the flaw. Both companies say the bug had been exploited, as a zero-day, since mid-2024, meaning they had been using it for more than a year and a half.
The group apparently exploiting this bug is identified as UNC6201. They are not a widely recognized group, like APT41 or Silk Typhoon, but they are just as dangerous. In fact, researchers said the group deployed several malware payloads, including a brand new backdoor called Grimbolt, built in C# using a new compilation technique that made reverse engineering faster and more difficult than its previous tools.
The researchers also said that UNC6201 used new lateral movement and stealth techniques:
“UNC6201 uses temporary virtual network ports (aka “ghost NICs”) to transition compromised virtual machines to internal or SaaS environments, a new technique that Mandiant has not previously observed in its investigations,” Mandiant said. BeepComputer. “In line with the previous BRICKSTORM campaign, UNC6201 continues to target devices that typically lack traditional Endpoint Detection and Response (EDR) agents to remain undetected for extended periods of time. »
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
