"Security news rarely moves in a straight line. This week, it feels more like a series of sharp turns, some happening quietly in the background, others playing out in public view. The details are different, but the pressure points are familiar. Across devices, cloud services, research labs, and even everyday apps, the line between normal behavior and hidden risk keeps getting thinner."
"The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions prior to 6.0.3.1 HF1. Per Google, the hard-coded credential relates to an "admin" user for the Apache Tomcat Manager instance that could be used authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the "/manager/text/deploy" endpoint, and execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT."
Security incidents are occurring across devices, cloud services, research labs, and consumer apps as protective and update tools increasingly become attack pathways. A critical zero-day (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines leverages hard-coded Tomcat credentials to allow attackers to upload a web shell (SLAYSTYLE) and gain root, enabling deployment of BRICKSTORM and GRIMBOLT backdoors. Activity attributed to a suspected China-nexus cluster UNC6201 has been observed since mid-2024 against affected RecoverPoint versions prior to 6.0.3.1 HF1. Separate criminal charges allege that former Google engineers and family members conspired to steal corporate trade secrets and transfer them to unauthorized locations, including Iran.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]