dude wtf

One of the biggest cardinal sins is using hard-coded credentials inside of your software. And in today's video, we're talking about a piece of software that did unfortunately just that. Now, normally when I make these videos, I try not to harp too hard on like specific CVEes, unless they're being actively exploited or like they're a big trending news story. And in this example, literally Chinese threat actor Silk Typhoon is using the CVE from Dell Recover Point virtual machines to move laterally inside of networks of large IT providers. So, what's going on here, guys? Well, we have this little piece of software that's called Dell Recover Point, which basically is like your your way to administer VM clusters, right? It's very traditional like VMware plugins for the Vssenter ecosystem, and you could use that to manage your VMs. Okay? Well, the problem is with any administrative software that lives in a network, if there's a way to escalate your privileges to a higher level, people who are in that network can use that to do malicious stuff. And this is especially true for places like virtual machine networks where the assumption from a design perspective is that the virtual machines are lower privilege. But if you accidentally give away the network with a vulnerability in a virtual machine management tool, you're going to have a bad time. So let's go over what's going on here. We have Google threat intelligence discovered that actor, I guess 6201, which is another way for them to say Silk Typhoon, which is a Chinese threat actor, uh, has been moving around laterally in networks that they track using this CVE here, CVE 2026 22769. What this guys, what this literally is, it is a vulnerability vulnerability in quotes in the Dell management recover point software where basically there is a hardcoded admin password inside of this file here that people in the network can use to deploy a malicious WAR file, which I guess is like a a web page update file to the server and then it just runs their code as root and they use that to deploy a backd dooror called Grimble, which is a UPX packed C backd dooror that allows them to run code in Tomcat, which is an Apache uh runtime for for Java code. So, we're talking about vulnerabilities that are basically from the 2008 era, right? Hardcoded credentials. I want to talk a little bit about like the world of cryptography. And if maybe if you're a security engineer, this will bode well for you, right? There are two schemes for cryptography that are good, right? There is symmetric cryptography and there is asymmetric cryptography. Okay? Symmetric cryptography is the world where you and another host have a shared pre-shared key, a PSK. And that PSK is the same between both actors. So if actor A and actor B want to talk, all they have to do is encrypt via the agreed upon algorithm their message with a secret key. They exchange it, decrypt it, and bada bing, bada boom, it's good. And some symmetric algorithms like AESGCM do both confidentiality as well as authentication in the protocol. However, this is different from asymmetric encryption where you do not have a pre-shared key. So instead, you have two different key sets. You have the private and public key of actor A, the private and public key of actor B. And to establish a channel using a secret key, you have to first exchange the public key and encrypt a secret key and then you use that secret key between each other. And obviously there's a whole issue of authentication here and making sure this exchange is between the right actors. There could be a man in the middle that is man in the middle in the exchange. But in either scenario, you do a key exchange and you create a secret key. In both scenarios here, guys, the thing that has to be given is that the secret key cannot be disclosed to a third party, an evil actor, Charlie for example, right in the network. This is why for symmetric encryption, if it's secret keys living in the firmware, if it's secret keys that are exposed on your web app, for example, they are bad because the actor can use that secret key to just do whatever they want with it. There is no way to protect it once it's been exposed either outside of the asymmetric channel or in the symmetric channel. Now, really quick, one of the things I find the most annoying about doing software security review is the amount of red flags and alarms we get that ultimately may not mean anything. And that's why today's video is sponsored by Endor Labs. Endor Labs is an application security platform that allows you and your team to cut through the noise and fix actual problems in your codebase across a software development life cycle. Whether you're using open source packages, AI models, or AI services, Endor's software composition analysis can tell you not only what vulnerabilities are in the packages that you have, but also if they're reachable and if they matter. I actually plugged Lowle Academy into Endor Labs. And you can see here on the left, the total open vulnerabilities and all the packages I use on the front end and the back end are up to 258. That would be a huge amount of remediation to fix. But because they did an analysis on the composition of my software, they found that only 10 of them are exploitable. Now, not great. Obviously, shouldn't be 10, should be zero, but still better than 258. Let me be very clear. These are not SQL injection issues in my code. Those are SQL injection issues in Django. Whether or not you like AI, you can click on their AI chatbot and get an oneliner remediation fix for this bug. It'll tell you instantly how to fix it. For me, it's just, hey man, update your Django. Not that complicated. Guys, best way to help the channel out is to go interact with the sponsors. Go give Enerab a shot at the link below. Ender Labs, thank you for sponsoring the video. Back to the video. What we're dealing with is basically this guys. Okay, we have a program here. It's going to be called Dell. I'm going to run it and we're going to say, "What is the password, please?" Okay. Well, the problem is I don't know the passwords. I'm going to test password and we're going to see. Oh, come on, man. That's the wrong password. Well, we have access to the Dell binary cuz we have bought the product. We've downloaded the product. So, what I'm going to do is literally just run strings on the binary. Pump it into less and we'll see pretty quickly super secret password here. I'm guessing that's going to be the password. So, we're going to run Dell with that password and we are entering super secret mode. This is an example, by the way. This is not the real Dell deployment. as an example because the deployment that I have locally of Dell is the same as somebody else has somewhere else. This password works again. Symmetric encryption, symmetric cryptography is not a bad thing if the symmetry is different between deployments. If you and you and you and you all have different symmetric key deployments, it's fine assuming the symmetric key does not go to any other actors. But because they used the same key everywhere, people in VCenter region A can hack into Vsenter region B. And that's exactly what the Chinese strat actor did. No bueno. Now, people may be saying, "Oh my god, this is a back door by Dell." Okay, the word back door has a lot of different meanings. It it literally is a back door by Dell, but it's not in like in a malicious way, right? What's happening here is they probably left in an admin user for people to be able to log into the server, be able to manage the deployment. The problem is because they left an admin user in one deployment where the keys are all the same, now that key can be used anywhere by anybody. So, two solutions here. Either they roll a new symmetric key on every deployment. And the problem there is the key is written in plain text. So compromises the server on one location compromises that key or they use PKI right private key infrastructure which is literally what you do for like SSH for example right you have some kind of public key that you put in the SSH server and then you use the private RSA key to authenticate the key exchange and then use that to ensure that you are who you say you are right so either through some amount of symmetric rolling or asymmetric PKI is a way to make this better. That being said the current state of it is not very good. It is kind of cool though with these intrusions to see like the the methodologies of the threat actors kind of play out, right? So Silk's Typhoon is this one actor that's very well known for hitting VPN concentrators, right? So if you think of any corporate network, right? What you're seeing here is primary site A, secondary site B. Ultimately, there has to be some connection for data in site A to traverse and talk to secondary site B. What that a lot of the times is is a VPN concentrator at the edge of this network. Literally, you have a VPN tunnel, but traffic has to hit A to go to B or B to go to A. And so ultimately there is code exposed at these exits, right? And Silk Typhoon is notorious for finding vulnerabilities in applications like Avanti Pulse ConnectVPN, Polo Alto Firewalls or Citrix Netcaler that allows them to get into these networks and then they take vulnerabilities in software like Recover Point or otherwise for these kind of like larger VM management softwares and use them to covertly live inside the networks for a long time. But what's interesting is you kind of get a peek at exactly how they do it. So they have these back doors that are offiscated written in C. Ew. But also the way they kind of hide their network traffic, right? They're aware that certain nicks inside of the VMware deployment are being watched very closely. So they'll create kind of like these subnixs or like these special secret nicks that like the logging software can't see and then install on those nicks IP tables rules so that certain packets in a certain format with certain rules are able to quietly get in, but the rest get denied. So the network monitoring software can't see it. So if you're watching this video and you are a person that uses Del recover point, I want to highlight that uh Google's threat intelligence team did put out some signatures for ways that you can find these actors, right? So basically if you see a Linux elf with these strings inside of it or you see files that match these patterns, right? So it's like, you know, either an elf or otherwise that have these strings inside of it or you see these strings inside of another file, like you can use these to detect where those back doors live and then ultimately update your Dell recover point because if you haven't, it might be vulnerable to the CVE. So really interesting stuff, guys. kind of a world view into, you know, the world of malicious actors, kind of how they get in, how they hack, and how they ultimately hide. And would Rust have fixed this? Would Rust No, this is this is a hard-coded credential, guys. You can literally do the same exact process of like having a hard-coded password in any binary. Um, I'm actually working right now on another T-Mu video where I'm looking at an IP camera I got for Teeu. I got two for 20 bucks. It's great deal. Uh, but they similar to this, this may just be a ASI string. They are also using hard-coded AES keys to create a secure channel through their cloud environment, which is super sketchy. And you can see that when it comes out by clicking over here, or in the meantime, whatever video you do see, because I think YouTube thinks you'll like that one as well. See you there. Goodbye.

Maximize the velocity of your software security lifecycle with Endor at https://go.lowlevel.tv/endor https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day 🏫 MY COURSES Sign-up for my FREE 3-Day C Course: https://lowlevel.academy 🧙‍♂️ HACK YOUR CAREER Wanna learn to hack? Join my new CTF platform: https://stacksmash.io ⌨️ KEYBOARD Like what you hear? Grab a Q5 at https://go.lowlevel.tv/keyboard 🔥COME HANG OUT Check out my other stuff: https://lowlevel.tv