A critical security vulnerability has been exposed, and it's a big one. A zero-day exploit, CVE-2026-22769, has been actively used since mid-2024 by a suspected Chinese threat group, UNC6201. This vulnerability affects Dell RecoverPoint for Virtual Machines, a widely used data protection solution. But here's where it gets controversial: the exploit has been going on for almost two years without being detected!
The vulnerability, with a perfect CVSS score of 10.0, allows an unauthenticated attacker to gain unauthorized access to the underlying operating system and persist at the root level. This is a serious issue, as it can lead to complete system compromise. Dell has released a bulletin, urging users to upgrade to specific versions to mitigate the risk.
The exploit involves hard-coded credentials, which can be used to authenticate and execute commands as root. Google's Mandiant and Threat Intelligence Group (GTIG) have provided insights into how the attackers are leveraging this vulnerability. They use a web shell named SLAYSTYLE to drop a backdoor, BRICKSTORM, and its newer version, GRIMBOLT. GRIMBOLT is designed to evade detection and leave minimal forensic traces, making it even more dangerous.
UNC6201 shares similarities with another Chinese espionage group, UNC5221, known for exploiting virtualization technologies and Ivanti zero-days. However, despite the tactical overlap, they are assessed to be distinct. The use of BRICKSTORM has also been linked to a third China-aligned adversary, Warp Panda, in attacks on U.S. entities.
One of the notable aspects of UNC6201's tactics is their use of temporary virtual network interfaces, or "Ghost NICs," to pivot within compromised environments and cover their tracks. This allows them to move laterally and maintain persistence, making it harder for investigators to track their activities.
Exactly how UNC6201 gains initial access remains unclear, but they are known to target edge appliances and use web shells to monitor and redirect traffic. This enables them to maintain a stealthy presence within compromised networks.
The threat actor has also been observed replacing old BRICKSTORM binaries with GRIMBOLT, further enhancing their stealth capabilities. While the reason for this shift is unknown, it highlights the evolving nature of these threats and the need for constant vigilance.
Charles Carmakal, from Mandiant, emphasizes the challenge posed by nation-state threat actors targeting systems that lack traditional EDR solutions. This makes it extremely difficult for victim organizations to detect and respond to these sophisticated attacks.
This disclosure comes at a time when Dragos has warned of similar attacks by Chinese groups, such as Volt Typhoon (aka Voltzite), targeting Sierra Wireless Airlink gateways in the electric and oil and gas sectors. These attacks demonstrate the increasing sophistication and boldness of nation-state actors, who are pushing the boundaries of what is possible in the cyber realm.
As we navigate this complex landscape, it's crucial to stay informed and proactive in our cybersecurity measures. The threat landscape is ever-evolving, and staying ahead of these sophisticated attacks is a collective effort.
What are your thoughts on this ongoing threat? Do you think we are doing enough to protect our critical infrastructure from these advanced persistent threats? We'd love to hear your insights and opinions in the comments below!
