China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection
Summary
A China-linked threat actor has been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, a maximum-severity hardcoded-credential bug, allows attackers to backdoor infected machines for long-term access, and the attackers used 'ghost NICs' to avoid detection.
IFF Assessment
The exploitation of a zero-day vulnerability by a China-linked threat actor is bad news for defenders.
Severity
Defender Context
Defenders should immediately patch Dell RecoverPoint for Virtual Machines, monitor for suspicious network activity, and investigate for potential compromises. The use of 'ghost NICs' highlights the need for advanced threat detection capabilities and thorough endpoint visibility, as attackers are actively seeking ways to evade traditional security measures. This campaign demonstrates the persistent threat posed by nation-state actors targeting critical infrastructure and sensitive data.