Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Dell RecoverPoint zero-day: what long dwell time means for security teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A zero-day in Dell RecoverPoint for Virtual Machines was reportedly exploited since mid-2024 by Chinese-linked attackers, with Mandiant saying fewer than a dozen organisations are known to be affected and dwell time often exceeding a year, according to Swarmnetics. The case shows how low-visibility infrastructure and delayed detection extend the time attackers have to extract secrets and entrench access.

NHIMG editorial — based on content published by Swarmnetics covering the Dell RecoverPoint zero-day: Chinese hackers credited with another major zero-day vulnerability and compromise since 2024

By the numbers:

Questions worth separating out

Q: What breaks when a zero-day gives attackers long-term access to recovery infrastructure?

A: The main failure is that recovery and replication systems often sit outside normal detection and identity review workflows, so attackers can harvest secrets and maintain access for months.

Q: Why are low-visibility systems such a problem for secrets governance?

A: Low-visibility systems can sit close to highly privileged service credentials while receiving less monitoring than endpoints or cloud workloads.

Q: What do teams get wrong about patching after a stealthy intrusion?

A: They often treat patching as the end of the incident, when the harder problem is removing any persistence, stolen secrets, and hidden access paths already established.

Practitioner guidance

  • Add detection coverage to recovery infrastructure Instrument backup and replication platforms with alerting for unusual administrative sessions, new binaries, and unexpected configuration changes, then route those events into the SOC alongside endpoint telemetry.
  • Shorten the reach of exposed secrets Inventory credentials that can be accessed from infrastructure-adjacent systems, reduce their scope, and revoke or rotate them where long validity would let an intruder reuse them after initial exploitation.
  • Separate operational recovery access from secret-bearing trust paths Review whether recovery tooling can surface service accounts, tokens, or API keys that should be isolated behind different administrative boundaries and stronger approval checks.

What's in the full analysis

Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:

  • Timeline detail on the zero-day exploitation window and the organisations known to be affected.
  • Vendor remediation guidance for version 6.0.3.1 HF1 and the extra steps required on older installations.
  • Background on the Brickstorm-to-Grimbolt tooling shift and how the backdoor changed after deployment.
  • Specific observations from Mandiant and Google Threat Intelligence on the UNC6201 cluster and related activity.

👉 Read Swarmnetics' analysis of the Dell RecoverPoint zero-day and Grimbolt activity →

Dell RecoverPoint zero-day: what long dwell time means for security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Long dwell time is the control failure, not just late patching. This incident shows that patch management alone does not solve exposure when a vulnerability can sit undetected for months in low-visibility infrastructure. The governance gap is the absence of continuous monitoring around systems that can expose secrets or support recovery. Practitioners should treat sustained invisibility as a primary risk indicator, not a secondary symptom.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when secrets are exposed through compromised infrastructure software?

A: Accountability usually spans infrastructure owners, identity teams, and incident responders because the risk crosses software patching, credential governance, and detection coverage. Frameworks such as NIST CSF and NIST SP 800-53 expect clear ownership for protection, monitoring, and remediation. If no team owns the exposed secrets, the incident will be repeated in another form.

👉 Read our full editorial: Dell RecoverPoint zero-day exploitation exposes long-dwell secrets risk



   
ReplyQuote
Share: