Suspected China-linked threat actors exploited a Dell zero-day vulnerability since mid-2024 to deploy stealthy malware infrastructure, requiring immediate patching and forensic examination of Dell RecoverPoint systems.
Security researchers from Google's Mandiant and Threat Intelligence Group have confirmed that suspected China-linked cyber espionage groups exploited a critical vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines as a zero-day since at least mid-2024. This maximum-severity flaw involves hardcoded credentials that allow unauthenticated attackers to gain root-level access to the underlying operating system.
Technical Exploitation Pattern
The threat cluster tracked as UNC6201 leveraged this vulnerability to:
- Deploy Brickstorm and Grimbolt backdoors for persistent remote access
- Create 'ghost NICs' (hidden network interfaces) on VMware ESXi virtual machines for stealthy lateral movement
- Modify legitimate system scripts (
convert_hosts.sh) to execute malware at boot time viarc.local - Use Apache Tomcat Manager to deploy Slaystyle web shells through malicious WAR files
Grimbolt represents an evolution of earlier Brickstorm variants, shifting from Go/Rust to C# with ahead-of-time compilation and UPX packing. This technical shift enhances evasion capabilities against static analysis tools while maintaining the same command-and-control infrastructure.
Compliance Requirements
Organizations using Dell RecoverPoint for Virtual Machines must implement these measures immediately:
- Patch Implementation: Apply Dell's security update for CVE-2026-22769 from the Dell Security Advisory
- Forensic Examination: Check systems for:
- Modified
convert_hosts.shscripts - Unauthorized NIC configurations in VMware environments
- Processes matching Grimbolt's AOT-compiled binaries
- Modified
- Credential Reset: Replace all associated administrative credentials
- Historical Analysis: Organizations previously targeted by Brickstorm must search for Grimbolt artifacts
Critical Timeline
- Mid-2024: Initial observed exploitation
- September 2025: Threat actors shifted to Grimbolt backdoors
- February 2026: Vulnerability disclosed and patched
Dell confirmed 'limited active exploitation' but cautions that the full scope remains unknown. Mandiant has observed fewer than a dozen confirmed compromises but emphasizes that all critical infrastructure operators—particularly in energy and government sectors—should assume they are potential targets given UNC6201's history of long-term embedded access.
The US Cybersecurity and Infrastructure Security Agency (CISA) has previously warned about similar VMware targeting tactics in CISA Alert AA26-137A. Security teams should cross-reference these detection mechanisms with Dell-specific indicators of compromise.
Comments
Please log in or register to join the discussion