Dell Zero-Day Exploit: China-Linked Hackers Target Vulnerability Since 2024
China-Linked Cyberespionage Group Exploits Dell Zero-Day Vulnerability
A China-linked cyberespionage group has been secretly exploiting a critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines software since at least mid-2024. The flaw, tracked as CVE-2026-22769, was discovered by Google’s threat intelligence team and Mandiant, who attributed the attacks to UNC6201, a suspected Chinese threat cluster.
Attackers Deploy Stealthy Backdoors and Webshell
The attackers used the vulnerability to deploy stealthy backdoors, including BRICKSTORM and GRIMBOLT, as well as a webshell known as SLAYSTYLE. They maintained long-term access to targeted networks and employed novel tactics to pivot into VMware virtual infrastructure. This included creating Ghost NICs for stealthy network pivoting and using iptables for Single Packet Authorization (SPA).
Attackers Gain Access Using Default Credentials
Mandiant analysts were unable to determine how the attackers initially gained access to the affected systems, but noted that UNC6201 is known to target edge appliances. The analysts discovered the vulnerability while investigating hacked Dell RecoverPoint systems, which were communicating with command and control servers associated with the BRICKSTORM and GRIMBOLT backdoors.
Backdoors and Webshell Characteristics
The BRICKSTORM backdoor is a known threat used by UNC5221 and related threat clusters, and is designed to evade traditional endpoint detection and response (EDR) tools. The GRIMBOLT backdoor, on the other hand, is built to run directly as machine code, making it harder to detect via static analysis. The attackers edited a legitimate shell script to launch the backdoor each time it was run.
Remediation and Detection
Dell has provided instructions on how to remediate the vulnerability, and Mandiant and GTIG have provided indicators of compromise, artifacts, and YARA rules to detect the presence of the GRIMBOLT backdoor and the SLAYSTYLE webshell. The Cybersecurity and Infrastructure Security Agency (CISA) has also revised its report on the BRICKSTORM backdoor with the latest indicators of compromise.
Conclusion
The attacks highlight the importance of patching vulnerabilities and securing edge appliances, as well as the need for robust threat detection and response capabilities. The use of default credentials and hardcoded passwords also underscores the importance of robust password management and secure configuration practices.
About Author
English