A Hardcoded Password. Root Access. Two Years Undetected.
Dell shipped a backup product with an admin password hardcoded in a config file. Chinese state hackers found it in mid-2024 and have been quietly exploiting it ever since.
CVE-2026-22769 affects Dell RecoverPoint for Virtual Machines — the software organizations trust to protect their VMware infrastructure. CVSS score: 10.0. Maximum severity. CISA added it to the Known Exploited Vulnerabilities catalog with a 3-day patch deadline for federal agencies.
The threat actor, tracked as UNC6201 by Google's Threat Intelligence Group (GTIG), deployed three custom malware families and invented a novel lateral movement technique using ephemeral virtual network interfaces.
The Vulnerability: Password in a Config File
Dell RecoverPoint for VMs ships with Apache Tomcat as its web management interface. The admin credentials were hardcoded in:
/home/kos/tomcat9/tomcat-users.xml
Username: admin. Password: hardcoded. This grants full access to the Tomcat Manager console at /manager/text/deploy.
With Tomcat Manager access, an attacker can deploy arbitrary WAR (Web Application Archive) files. WAR files execute as Java servlets with the same privileges as the Tomcat process — in this case, root.
This isn't a complex exploit. There's no buffer overflow, no race condition, no heap spray. It's a default password that Dell shipped in production for years.
The Attack Chain
1. Scan for Dell RecoverPoint instances (port 443)
↓
2. Authenticate to Tomcat Manager with hardcoded credentials
↓
3. Deploy SLAYSTYLE webshell via WAR file upload
↓
4. Execute commands as root via webshell
↓
5. Deploy BRICKSTORM or GRIMBOLT backdoor for persistence
↓
6. Create Ghost NICs for lateral movement into internal network
↓
7. Manipulate iptables to hide traffic and maintain access
↓
8. Long-term espionage (active since mid-2024)
UNC6201's Custom Malware Arsenal
SLAYSTYLE — The Webshell
The initial foothold. A Java-based webshell deployed as a WAR file through Tomcat Manager. Executes arbitrary commands with root privileges on the RecoverPoint appliance.
BRICKSTORM — The C# Backdoor
The primary persistence mechanism:
- Remote shell access with encrypted C2 communication
- File upload and download capability
- Command execution
- Written in C# — runs on the .NET runtime available on the appliance
GRIMBOLT — The Evolution
A newer variant designed to evade forensic analysis:
- Native AOT (Ahead-of-Time) compilation — compiles to a standalone binary with no .NET runtime dependency
- Significantly harder to reverse engineer than BRICKSTORM
- Enhanced anti-forensic capabilities
- Same C2 infrastructure as BRICKSTORM, suggesting evolution by the same team
- Eliminates dependency on .NET, reducing detection surface
Ghost NICs: A Novel Lateral Movement Technique
This is the most innovative part of the campaign.
After compromising the RecoverPoint appliance, UNC6201 creates temporary virtual network interfaces ("Ghost NICs") that bridge into internal network segments. These interfaces exist only long enough to perform reconnaissance or pivot to other systems — then they're deleted.
Why this matters:
- RecoverPoint appliances typically sit on management networks with broad access to VMware infrastructure
- The Ghost NIC technique leaves minimal forensic traces
- Network monitoring tools may not detect a temporary interface that exists for seconds
- Traditional network segmentation doesn't protect against an appliance that's already trusted
iptables Manipulation for Stealth
UNC6201 deployed custom iptables rules to:
- Monitor port 443 for specific HEX signatures in incoming traffic
- Whitelist approved source IPs — only the attacker's infrastructure gets through
- Redirect traffic — when a matching signature is detected, redirect port 443 to port 10443 for a 300-second window
- Auto-expire — rules reset after 5 minutes, leaving no permanent trace
This creates a knock sequence — the attacker sends a packet with a specific hex pattern, which opens a 5-minute window for C2 communication. To anyone monitoring, port 443 looks like normal HTTPS traffic.
Affected Versions
| Product | Vulnerable Versions | Patched Version |
|---|---|---|
| RecoverPoint for VMs | 5.3 SP4 P1 and earlier | 6.0.3.1 HF1 |
| RecoverPoint for VMs | 6.0 through 6.0 SP3 P1 | 6.0.3.1 HF1 |
| RecoverPoint Classic | Not affected | — |
IOCs
File Hashes (SHA-256)
GRIMBOLT:
24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591
SLAYSTYLE:
92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a
BRICKSTORM:
aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759
90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830
Network:
149.248.11.71
Detection
YARA Rule — SLAYSTYLE Webshell
rule SLAYSTYLE_Webshell {
meta:
description = "Detects SLAYSTYLE webshell deployed via Dell RecoverPoint"
author = "theinsider-x.com"
date = "2026-02-27"
reference = "CVE-2026-22769"
strings:
$war_deploy = "/manager/text/deploy" ascii
$tomcat_user = "tomcat-users.xml" ascii
$cmd_exec = "Runtime.getRuntime().exec" ascii
$hash = "92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a"
condition:
2 of them
}
Sigma Rule — Tomcat Manager Exploitation
title: Dell RecoverPoint Tomcat Manager Unauthorized Access
status: experimental
logsource:
category: webserver
product: apache
detection:
selection:
cs_uri_stem|contains:
- '/manager/text/deploy'
- '/manager/html/upload'
cs_username: 'admin'
condition: selection
level: critical
Network Detection
title: UNC6201 C2 Communication
status: experimental
logsource:
category: firewall
detection:
selection_ip:
dst_ip: '149.248.11.71'
selection_port:
dst_port:
- 443
- 10443
condition: selection_ip or (selection_port and dst_port == 10443)
level: critical
Forensic Checks
# Check for SLAYSTYLE webshell in Tomcat
find /home/kos/tomcat9/webapps/ -name '*.war' -newer /home/kos/tomcat9/webapps/ROOT.war
# Check for Ghost NIC artifacts
ip link show | grep -v 'state UP\|lo:'
journalctl -u NetworkManager --since '2024-06-01' | grep 'new link'
# Check iptables for port redirection rules
iptables -t nat -L -n | grep 10443
# Check for BrickStorm/GrimBolt processes
ps aux | grep -E '/tmp/\.|/var/tmp/' | grep -v grep
# Verify tomcat-users.xml hasn't been accessed
stat /home/kos/tomcat9/tomcat-users.xml
MITRE ATT&CK Mapping
| Technique | ID | Usage |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Tomcat Manager with hardcoded creds |
| Valid Accounts: Default Accounts | T1078.001 | Hardcoded admin credentials |
| Server Software Component: Web Shell | T1505.003 | SLAYSTYLE WAR deployment |
| Boot or Logon Autostart Execution | T1547 | BRICKSTORM/GRIMBOLT persistence |
| Proxy: Multi-hop Proxy | T1090.003 | iptables port redirection |
| Network Service Discovery | T1046 | Ghost NIC lateral recon |
| Exfiltration Over C2 Channel | T1041 | Data theft via BRICKSTORM |
| Indicator Removal | T1070 | Ghost NIC deletion, iptables auto-expire |
Remediation
Immediate (Today)
- Patch — Upgrade to Dell RecoverPoint for VMs 6.0.3.1 HF1
- If patching isn't immediate — Apply Dell's remediation script (KB000426742)
-
Block IOC — Add
149.248.11.71to your firewall blocklist - Scan for webshells — Check Tomcat webapps directory for unknown WAR files
Forensic Investigation
-
Check Tomcat access logs for
/manager/text/deployrequests since mid-2024 - Scan for IOC hashes across all RecoverPoint appliances
- Review iptables rules for any port redirection to 10443
-
Check network logs for connections to
149.248.11.71 - Audit network interfaces — any recently created/deleted virtual NICs?
Strategic
- Isolate backup infrastructure — RecoverPoint appliances should not have broad network access
-
Monitor Tomcat Manager — alert on any
/manager/access - Credential audit — scan for hardcoded credentials in ALL appliance configs
Your backup system was the backdoor. The appliance trusted to recover from compromise was itself compromised — for two years.
Need help checking if your Dell infrastructure has been compromised? Request a free penetration test at theinsider-x.com — currently in open beta.
Sources: Google GTIG/Mandiant, The Hacker News, Dell Security Advisory, CISA KEV, TrueSec
MITRE ATT&CK: T1190, T1078.001, T1505.003, T1547, T1090.003, T1046, T1041, T1070
Top comments (0)