Cybersecurity firm Sekoia has discovered a new variant of Helldown ransomware. The article details their tactics and how…

Cybersecurity firm Sekoia has discovered a new variant of Helldown ransomware. The article details their tactics and how they exploit vulnerabilities in network devices, steal sensitive data, and encrypt critical systems.

Sekoia’s cybersecurity researchers have discovered a Linux variant of the new ransomware strain, Helldown, first **found** by Halcyon and deploys Windows ransomware derived from the LockBit 3.0 code. 

Helldown is a relatively new ransomware group that has been actively targeting organizations since August 2024, affecting over 30 firms in three months. This threat actor primarily exploits vulnerabilities in network devices, particularly **Zyxel firewalls**.

Once they gain access, they employ a double extortion strategy, encrypting critical data and threatening to leak sensitive information if a ransom is not paid. Researchers suspect that the group is expanding its attacks to target virtualized infrastructures via VMware, “given the recent development of ransomware targeting ESX.” 

Helldown’s Linux variant specifically targets VMware ESX servers. This variant was first spotted by cybersecurity researcher Alex Turing (**@TuringAlex**) on 31 October 2024. 

According to Sekoia’s blog post shared with Hackread.com, the ransomware’s code focuses on a sample of VMware ESX servers and is straightforward, lacking obfuscation and anti-debugging mechanisms. The main function executes a simple workflow, including configuration loading, file search, encryption, and ransom note creation.

The code also includes a function called kill\_vms, which lists and kills VMs sequentially. Terminating VMs before encryption grants ransomware write access to image files, but static and dynamic analysis shows this functionality is not invoked, indicating that the ransomware is still under development or not that advanced.

On its dark web data leak site, the group has disclosed a large amount of data, ranging from 22GB to 431GB, and averaging 70GB excluding outliers. The stolen files are mostly PDFs or scanned documents, likely obtained from servers like NAS systems or electronic document management portals. The large volume suggests the attacker targets data sources storing administrative files, which typically contain sensitive information.

Helldown ransomware’s ransom note and dark web leak site.

Researchers suspect a connection between Helldown vs. Hellcat and Darkrace/Donex groups, due to the timing of a company (Schneider Electric) compromise and social media activity by alleged Hellcat operators. However, no technical similarities have been found between these groups so far. 

> _“Two accounts on the X social media, @grepcn and @ReyBreached, claiming to be Hellcat operators, posted to distinguish themselves from Helldown, each displaying Hellcat’s DLS link in their profiles.”_
> 
> Sekoia’s Threat Detection & Research (TDR) team

For your information, @grepcn has been quite active on Breach Forums. They are also the hacker behind recent data breaches involving Dell (**1, 2, 3**) and **Twilio**.

It is also worth noting, though, that Helldown shares behavioural similarities with Darkrace, as both likely originated from leaked LockBit 3 code, and is suspected to be a rebrand of Darkrace.

Nevertheless, to protect against the Helldown attack, organizations should patch their network devices, particularly Zyxel firewalls, with the latest security updates. Adopting crucial security measures like network segmentation, access controls, and regular backups, and educating employees on cybersecurity best practices, including phishing awareness and secure password usage is essential to address evolving ransomware threats proactively.

**Jason Soroko**, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) weighed on in the latest development stating that Helldown ransomware represents a sophisticated evolution of modern malware.

_“_Helldown is a prime example of how cybercriminals are piecing together all of the elements of modern malware to create a formidable threat. All of the elements of this malware variant have been seen before, but we are increasingly seeing malware that is strengthening on all fronts,_“_ Jason explained.

He added that security teams must design protection assuming adversaries will use advanced, well-crafted techniques, rather than relying on flaws or oversights by attackers to mitigate threats.

_“_From fileless execution to strong custom encryption, this malware variant teaches us that we can’t rely on our adversaries to make mistakes that give us an easy way to mitigate their attacks. Security architects who are building defensive systems against attacks such as this should assume that adversaries are bringing a sophisticated set of tools with few weak spots._“_

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Hackers Deploy Linux FASTCash Malware for ATM Cashouts**
3.  **Play Ransomware Variant Targeting Linux ESXi Environments**
4.  **AcidRain Linux Malware Variant “AcidPour” Targeting Ukraine**
5.  **Linux Malware ‘Perfctl’ Hits Millions by Mimicking System Files**

Linux Variant of Helldown Ransomware Targets VMware ESX Servers

The essays are to focus on the impact that artificial intelligence will have on European policy.

Source: Deco via Alamy Stock Photo

The Munich Security Conference is partnering with the European Cyber Conflict Research Initiative's Binding Hook on the AI-Cybersecurity Essay Prize Competition to explore the intersection of cybersecurity and artificial intelligence (AI).

As cyber threats rapidly evolve, AI is at the forefront, shaping the next generation of cyber defenses and bringing new challenges and opportunities, said Max Smeets, co-director of the European Cyber Conflict Research Initiative (ECCRI) and the European Cyber Conflict Research Incubator, in a statement. Researchers are invited to submit essays on how AI will change cybersecurity, its implications for Europe, and actionable recommendations for policymakers. Essays can reference previously published research, but the content should be reworked to provide new insights.

"Launching this competition is, for me, about opening the door to voices from a range of disciplines - encouraging contributions that speak to both the opportunities and risks AI presents for cybersecurity," Smeets said. "I also hope we will see not just analysis but ideas that policymakers can consider seriously; thoughtful pieces that get at the heart of what AI could mean for cybersecurity policy in Europe."

Essays will be reviewed by a board led by co-chairs Kersti Kaljulaid, former president of Estonia, and Shashank Joshi, defense editor at The Economist. Board members include Heather Adkins, vice president of security engineering and head of office of cybersecurity resilience at Google; Klaus Hommels, founder of Lakestar and chair of the board of directors at the NATO Innovation Fund; Mikko Hyppönen, a security and privacy expert; Maria Markstedter, founder of Azeria Labs; Eva Maydell, member of the European Parliament; and ECCRI's Smeets. Prizes will be awarded for the top five essays, starting at €10,000 (US$10,628) for the top prize and €5,000 (US$5314) for the runner-up. The winning author will also be invited to attend the 2025 Munich Security Conference.

Essays should be 800 to 1,200 words. The deadline for submissions is Jan. 2, 2025. 

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

New Essay Competition Explores AI's Role in Cybersecurity

Sophos CEO Joe Levy says the $859 million deal to acquire SecureWorks from majority owner Dell Technologies will put the Taegis platform — with network detection and response, vulnerability detection and response, and identity threat detection and response capabilities — at the core.

Source: DigitalStorm via iStock Photo

Sophos is doubling down on managed detection and response (MDR) services. Last week's agreement to acquire SecureWorks in an $859 million all-cash deal is set to close in early 2025 pending customary approvals, accelerating Sophos' push into MDR and extended detection and response (XDR) with SecureWorks' popular Taegis platform at the core, the company said.

SecureWorks has only 4,000 customers to Sophos' 600,000, but the company offers advanced XDR capabilities built on a cloud-native data lake architecture to larger enterprises and delivered by service providers. Building on its managed XDR capabilities, SecureWorks this year added network detection and response (NDR), vulnerability detection and response (VDR), and, most recently, identity threat detection and response (ITDR) to the Taegis platform.

Dell Technologies, which owns nearly 80% of SecureWorks' publicly traded shares, has been exploring ways over the years to divest its control of the security provider. Dell joins the small club of large companies that have quit the operations business this year: IBM abruptly announced the sale of its QRadar SaaS portfolio to Palo Alto Networks, and AT&T spun out its managed security business, now known as LevelBlue.

Meanwhile, Sophos was looking to add an advanced XDR and MDR platform that it could integrate with its own Sophos Central security operations center. The central management tool provides endpoint, server and email protection, and access to other security services, including firewall, cloud, and encryption, among other point offerings.

Sophos, which also added its vendor-agnostic MDR service to its portfolio in late 2022, quickly saw demand for it from its customers, says Enterprise Strategy Group principal analyst Dave Gruber.

"Scaling operations to serve an audience of this size is challenging, making this acquisition a smart move for Sophos, as SecureWorks has many of the best and brightest security professionals in the industry," Gruber says.  

**Building an XDR Platform on Taegis**

Sophos CEO Joe Levy says he can't reveal specific integration plans while the deal, set to close in the first quarter of 2025, undergoes regulatory clearance processes. But he doesn't dispute that bringing Taegis and Sophos Central together is what is driving this deal, which would mark the largest since the company was founded in 1985.  

"We're aiming toward this world where we bring together the best hits of the two operations," Levy tells Dark Reading. "We will figure out that combination of the technology stack — Taegis inside Sophos Central and the security operations center itself."

That will include delivering the MDR business and the VDR, managed risk, and ITDR, he adds.

"\[It's\] the service component that customers are relying on to help to keep them secure," Levy says.

Besides determining a unified approach to provisioning services from SecureWorks and Sophos offerings, a key challenge will be enabling collaboration among the security operation teams within its MDR business, customers, and partners — notably MSPs and MSSPs that deliver the two companies' respective offerings, Levy explains.

"We want to produce the best possible workflows while demonstrating empathy and understanding of what the security operators are doing every single day," he says. "These are the driving principles that are going to be guiding the way that we undertake this."

**SecureWorks Shift to XDR Platform**

SecureWorks began developing Taegis in 2017 and launched it in early 2021. Taegis is built with a data lake architecture designed to ingest and normalize data and an analytics engine built to identify, prioritize, and block threats.

SecureWorks CEO Wendy Thomas told investors during the company's Q2 2025 quarterly earnings call in September that she sees continued growth potential for Taegis.

"We've increasingly seen customers more than ready to move away from noisy, hard, and expensive-to-maintain SIEMs \[security information and event management\] to an XDR approach to detection and response," she said. "That trend is only accelerating."

Analysts and customers have given Taegis high marks.

"The Taegis platform from SecureWorks has great detection and response capabilities," says IDC analyst Craig Robinson.

While SecureWorks' and Sophos' respective MDR services offer many similar features, Robinson notes that Sophos' offering has a more vendor-independent model than Taegis.

"While there's overlap, Sophos has more individual products while Taegis is a platform," he says.

Independent consultant William Klusovsky says he believes that adding SecureWorks is poised to deepen Sophos' reach into larger enterprises and offer richer services to small and midsize organizations. But he warns that Sophos could "fumble" that potential if it doesn't adequately invest in the integration of the products.

"If they are too short-sighted and focus only on financials and returns, they could end up with two businesses that don't work together and lose the talent they need to create the right business," Klusovsky says. "They need to have a vision, stick to it, and believe in it."

**Transition to Managed Security Services**

Sophos is owned by private equity firm Thoma Bravo, whose portfolio is mostly product companies, while both SecureWorks and Sophos have been shifting to services, Klusovsky notes.

"The services industry is very different," he says. "The good news is the product road maps and integrations should be something they can create efficiency with and drive in a positive direction. The unknown is going to be in managing service delivery, sales, the channel, and go-to-market as these motions are very different for a managed services provider than a product company."

Levy says he first started driving the shift from a product-only cybersecurity business to a hybrid product and services business in 2018, before Sophos agreed to be acquired by Thoma Bravo.

"We now think of it more in terms of life cycles of engagement with our customers, rather than just selling them a product or selling them a service," Levy says. "We're working in collaboration with this ecosystem of cybersecurity players to maintain life cycle engagements with customers, so just pray that the next point solution they buy is actually going to provide better security."

Similarly, SecureWorks has undergone several significant changes, having shifted from operating as a managed security services provider to a platform supplier. Instead, SecureWorks tapped its ecosystem of channel partners to offer the Taegis platform with their own managed security services.

IDC forecasts that demand for managed security services will grow to $44 billion in 2024, up from $39.5 billion in 2023. Demand is estimated to grow to $49.2 billion next year, IDC's Robinson says. Driving the growth are shrinking budgets and a dearth of skilled security operations talent.

"Everyone's looking at and making sure that for every dollar spent, it's being spent in the right way," he says. "And managed security services is not only a better way, but it's also, more often, a better outcome."

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Sophos-SecureWorks Deal Focuses on Building Advanced MDR, XDR Platform

LLMs tend to miss the forest for the trees, understanding specific instructions but not their broader context. Bad actors can take advantage of this myopia to get them to do malicious things, with a new prompt-injection technique.

Source: Igor Stevanovic via Alamy Stock Photo

A new prompt-injection technique could allow anyone to bypass the safety guardrails in OpenAI's most advanced language learning model (LLM).

GPT-4o, released May 13, is faster, more efficient, and more multifunctional than any of the previous models underpinning ChatGPT. It can process multiple different forms of input data in dozens of languages, then spit out a response in milliseconds. It can engage in real-time conversations, analyze live camera feeds, and maintain an understanding of context over extended conversations with users. When it comes to user-generated content management, however, GPT-4o is in some ways still archaic.

Marco Figueroa, generative AI (GenAI) bug-bounty programs manager at Mozilla, demonstrated in a new report how bad actors can leverage the power of GPT-4o while skipping over its guardrails. The key is to essentially distract the model by encoding malicious instructions in an unorthodox format, and spread them out in distinct steps.

**Tricking ChatGPT Into Writing Exploit Code**

To prevent malicious abuse, GPT-4o analyzes user inputs for any signs of bad language, instructions with ill intent, etc.

But at the end of the day, Figueroa says, "It's just word filters. That's what I've seen through experience, and we know exactly how to bypass these filters."

For example, he says, "We can modify how something's spelled out — break it up in certain ways — and the LLM interprets it." GPT-4o might not reject a malicious instruction if it's presented with a spelling or phrasing that doesn't accord with typical natural language.

Figuring out the exact right way to present information in order to dupe state-of-the-art AI, though, requires lots of creative brain power. It turns out that there's a much simpler method for bypassing GPT-4o's content filtering: encoding instructions in a format other than natural language.

To demonstrate, Figueroa arranged an experiment with the goal of getting ChatGPT to do something it otherwise shouldn't: write exploit code for a software vulnerability. He picked CVE-2024-41110, a bypass for authorization plug-ins in Docker that earned a "critical" 9.9 out of 10 rating in the Common Vulnerability Scoring System (CVSS) this summer.

To trick the model, he encoded his malicious input in hexadecimal format, and provided a set of instructions for decoding it. GPT-4o took that input — a long series of digits and letters A through F — and followed those instructions, ultimately decoding the message as an instruction to research CVE-2024-41110 and write a Python exploit for it. To make it less likely that the program would make a fuss over that instruction, he used some leet speak, asking for an "3xploit," instead of an "exploit."

Source: Mozilla

In a minute flat, ChatGPT generated a working exploit similar to, but not exactly like, another PoC already published to GitHub. Then, as a bonus, it attempted to execute the code against itself. "There wasn't any instruction that specifically said to execute it. I just wanted to print it out. I didn't even know why it went ahead and did that," Figueroa says.

**What's Missing in GPT-4o?**

It's not just that GPT-4o is getting distracted by decoding, according to Figueroa, but that it's in some sense missing the forest for the trees — a phenomenon that has been documented in other prompt-injection techniques lately.

"The language model is designed to follow instructions step-by-step, but lacks deep context awareness to evaluate the safety of each individual step in the broader context of its ultimate goal," he wrote in the report. The model analyzes each input — which, on its own, doesn't immediately read as harmful — but not what the inputs produce in sum. Rather than stop and think about how instruction one bears on instruction two, it just charges ahead.

"This compartmentalized execution of tasks allows attackers to exploit the model's efficiency at following instructions without deeper analysis of the overall outcome," according to Figueroa.

If this is the case, ChatGPT will not only need to improve how it handles encoded information but also develop a kind of broader context around instructions split into distinct steps.

To Figueroa, though, OpenAI appears to have been valuing innovation at the cost of security when developing its programs. "To me, they don't care. It just feels like that," he says. By contrast, he's had much more trouble trying the same jailbreaking tactics against models by Anthropic, another prominent AI company founded by former OpenAI employees. "Anthropic has the strongest security because they have built both a prompt firewall \[for analyzing inputs\] and response filter \[for analyzing outputs\], so this becomes 10 times more difficult," he explains.

Dark Reading is awaiting comment from OpenAI on this story.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Mozilla: ChatGPT Can Be Manipulated Using Hex Code

Casio experienced a major cyberattack on October 5, 2024, causing system disruptions and raising concerns about a potential…

Casio experienced a major cyberattack on October 5, 2024, causing system disruptions and raising concerns about a potential data breach. The company is investigating the incident with cybersecurity experts.

Casio, the iconic Japanese electronics company, is in the spotlight again due to another cybersecurity breach. On October 5, 2024, **Casio** experienced a major cyberattack involving unauthorized access to its network, resulting in system-wide disruptions.

Although the company is still investigating whether attackers compromised sensitive data in the October 2024 incident, this comes on the heels of a significant data breach **in October 2023**, caused by human error. That breach affected users in 148 countries and targeted Casio’s ClassPad education platform, which is widely used by students and educators.

****The October 2024 Breach: What Happened?****

According to Casio’s **security advisory** published in Japanese, on October 5, 2024, an unidentified third-party actor gained unauthorized access to the company’s network triggering outages and temporarily disrupting several of the company’s services.

Casio has not yet revealed which specific services were impacted. The network breach is under investigation, and the company is working closely with cybersecurity experts to determine the full extent of the damage.

Casio released a statement acknowledging the breach and its potential impact, stating, “We deeply apologize for any concern and inconvenience this may cause to our customers and partners.” The company has restricted external access to its systems while the investigation is ongoing.

****Data Breach Concerns****

One of the concerns following the October 2024 cyberattack is whether any sensitive data, such as customer information or business-critical data, was compromised. As of now, no ransomware group has taken responsibility for the attack, despite the systemic disruptions that are typical in ransomware attacks.

Hackread.com is closely monitoring the situation, and this article will be updated as soon as Casio releases new information. Stay tuned for further developments!

1.  **Casio China Hacked, 150,000 user accounts leaked**
2.  **Casio Electronics Taiwan Website Hacked by SaMuRai Hacker**
3.  **Dell Discloses Data Breach As Hacker Sells 49M Customer Data**
4.  **Lesson from Casio’s Data Breach: Database Security Challenges**
5.  **Acer Data Breach: Hacker Claims to Sell 160GB Trove of Stolen Data**

Casio Hit by Major Cyberattack AGAIN

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.
Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.

Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based Edge browser over the past month.

Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day -

*   **CVE-2024-43572** (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
*   **CVE-2024-43573** (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected)
*   **CVE-2024-43583** (CVSS score: 7.8) - Winlogon Elevation of Privilege Vulnerability
*   **CVE-2024-20659** (CVSS score: 7.1) - Windows Hyper-V Security Feature Bypass Vulnerability
*   **CVE-2024-6197** (CVSS score: 8.8) - Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)

It's worth noting that CVE-2024-43573 is similar to CVE-2024-38112 and CVE-2024-43461, two other MSHTML spoofing flaws that have been exploited prior to July 2024 by the Void Banshee threat actor to deliver the Atlantida Stealer malware.

Microsoft makes no mention of how the two vulnerabilities are exploited in the wild, and by whom, or how widespread they are. It credited researchers Andres and Shady for reporting CVE-2024-43572, but no acknowledgment has been given for CVE-2024-43573, raising the possibility that it could be a case of patch bypass.

"Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

The active exploitation of CVE-2024-43572 and CVE-2024-43573 has also been noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added them to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 29, 2024.

Among all the flaws disclosed by Redmond on Tuesday, the most severe concerns a remote execution flaw in Microsoft Configuration Manager (CVE-2024-43468, CVSS score: 9.8) that could allow unauthenticated actors to run arbitrary commands.

"An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database," it said.

Two other Critical-rated severity flaws also relate to remote code execution in Visual Studio Code extension for Arduino (CVE-2024-43488, CVSS score: 8.8) and Remote Desktop Protocol (RDP) Server (CVE-2024-43582, CVSS score: 8.1).

"Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset," Adam Barnett, lead software engineer at Rapid7, told about CVE-2024-43582.

"One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly."

**Software Patches from Other Vendors**

Outside of Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   Apache Avro
*   Apple
*   AutomationDirect
*   Bosch
*   Broadcom (including VMware)
*   Cisco (including Splunk)
*   Citrix
*   CODESYS
*   Dell
*   Draytek
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Android
*   Google Chrome
*   Google Cloud
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NVIDIA
*   Okta
*   Palo Alto Networks
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Salesforce Tableau
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos
*   Synology
*   Trend Micro
*   Veritas
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive…

Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive internal files, including project documents and MFA data, were exposed. Dell has yet to issue a formal response.

Dell has allegedly been hit with yet another data leak, marking the third such incident in a week. The threat actor, who goes by the alias “grep,” has claimed responsibility for the latest breach and continues to target the tech giant.

This time, the hacker has leaked approximately 500 MB of sensitive data, including internal documents, PDFs, images, internal device testing videos, and Multi-Factor Authentication (MFA) data, which if confirmed by Dell could further escalate concerns over the company’s data security.

According to information obtained by Hackread.com, the hacker shared details of the data leak, stating that Dell suffered a third breach that exposed internal files. The hacker revealed, “I knew Dell would fix their failure without confirming or denying my claims, for the same reason I had exfiltrated more data when I breached the internal employees, which was not leaked and waited for this exact moment.”

The leaked data includes access vectors and references to Chinese infrastructure, which, if not at a large scale, could still have some impact on the company’s operations.

The hacker on the breach forum boosted about the data leak and the leaked data was analysed by Hackread.com (Screenshot: Hackread.com)

**Leaked Data Includes Internal Tickets and Infrastructure Documents**

Among the leaked data is a CVS file titled “Ticket Summary – FY23,” which includes details of Dell’s internal ticketing system. Some of the entries shared in the leak include:

*   Incident reports on Agile access, VPN issues, proxy requirements for testing, and application migrations.
*   Ticket summaries that highlight VPN enhancements, DevOps software access requests, and network setups.

Additionally, the hacker shared a range of files and folders containing critical infrastructure information, such as:

*   “China Infra Compute.pdf”
*   “Global Project FY23.pdf” and “Global Project FY25.pdf”
*   “MFA Authentication – Cisco DUO.pdf”
*   Various project summaries and security-related documents.

The documents released by “grep” provide a snapshot of Dell’s internal operations and project infrastructure, revealing sensitive information that could pose security risks if exploited. Therefore, for security reasons; we are withholding specific details of the leaked files.

> 🚨Data Breach Update: Threat Actor Claims Third Breach of DELL
> 
> "Greg" is now claiming that DELL suffered a third data breach, this time compromising data such as "PDFs, images, videos, models, MFA data, along with their access vectors, including Chinese infrastructure."
> 
> In the… https://t.co/lTaOeC0IAL pic.twitter.com/8w3Fh9flo8
> 
> — HackManac (@H4ckManac) September 25, 2024

**Pattern of Breaches: A Coordinated Attack or Piecemeal Leaks?**

This third leak follows two previous data breaches conducted by the same hacker within a short time frame. **On September 19, 2024**, “grep” leaked data belonging to over 12,000 Dell employees, sparking an internal investigation. Just days later, **on September 22**, more sensitive internal files were released, allegedly compromised through Dell’s use of Atlassian tools.

In today’s data leak, the hacker clarified that all the data was stolen during a single breach, but he is strategically leaking it in parts. This statement eliminates speculation that Dell is facing repeated attacks, confirming instead that the data is being gradually released from one initial breach.

It is worth noting that Dell has yet to confirm the extent of the damage or whether the hacker gained access through a third-party vendor, as seen in other recent incidents. The hacker’s method aligns with his earlier attack, where he **leaked 12,000 Twilio records** from a compromised customer. Twilio confirmed to Hackread.com that it was a third-party breach, which resulted in the leak of only one Twilio customer’s data.

**Dell’s Response and Next Steps**

So far, Dell has not released a formal statement regarding today’s data leak. With three data leaks in just one week, concerns about Dell’s cybersecurity are growing. Hackread.com has reached out to Dell for comment, and this article will be updated as more information becomes available. Stay tuned!

1.  **Hacker Leaks Data of 33,000 Accenture Employees**
2.  **Acer Online Store Hacked; 34,000 Customers’ Data Stolen**
3.  **Hacker Leaks Thousands of Microsoft and Nokia Employee Data**
4.  **Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets**
5.  **Nissan Confirms Data Breach Affected 100K Customers, Employees**

Dell Hit by Third Data Leak in a Week Amid “grep” Cyberattacks

Another day, another claim of Dell data breach!

Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident.

On September 19, 2024, _Hackread.com_ **published an exclusive report** detailing claims of a Dell data breach involving sensitive information related to 10,863 Dell employees. The same hacker behind the original breach is now claiming that Dell has been “breached again,” suggesting a larger ongoing issue.

The hacker, who operates under the alias “grep” on the infamous cybercrime platform Breach Forums, posted these claims on Sunday, September 22, 2024. In this post, “grep” revealed that Dell has suffered another significant breach, this time with the help of a fellow hacker known as “Chucky.” Together, they allegedly compromised Dell’s internal systems, exposing confidential data.

According to “grep,” the breach contains data related to Jira files, database tables, and schema migrations, amounting to a total of 3.5 GB of uncompressed data. The hackers claim to have gained access by compromising Dell’s Atlassian software suite, including Jenkins and Confluence, widely used tools for software development and collaboration.

Here’s the exact message shared by the hacker on the forum:

_Compromised data: Jira’s files, DB tables, schema migration, etc., totalling_ 3.5GB uncompressed. This time, it was breached by Chucky. Before Dell makes any claims, we both compromised your Atlassian and accessed Jenkins, Confluence, etc.  
GDPR said time is ticking, by the way, _xD._

The hacker on Breach Forum announcing his leak (Screenshot credit: Hackread.com)

In response to the first alleged breach, Dell told _Hackread.com_ that it was aware of the situation and had launched an investigation. However, as of now, the company has not addressed the latest breach claims.

The _Hackread.com_ research team has analyzed some of the files and determined that they likely contain sensitive information about Dell’s internal infrastructure. This includes system configurations, user credentials, security vulnerabilities, and development processes. If confirmed, this information could potentially be leveraged to target Dell’s systems on a much larger scale.

Further review of the leaked files suggests that they belong to a variety of enterprise tools and environments used by Dell, including Jira, database tables, schemas, and Atlassian tools such as Jenkins and Confluence. For security reasons, we are withholding specific details of the compromised files.

Screenshot from the leaked data Screenshot credit: Hackread.com)

_Hackread.com_ has reached out to Dell for a comment and will update this article as the story develops.

1.  **Hacker Leaks Data of 33,000 Accenture Employees**
2.  **Acer Online Store Hacked; 34,000 Customers’ Data Stolen**
3.  **Hacker Leaks Thousands of Microsoft and Nokia Employee Data**
4.  **Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets**
5.  **Nissan Confirms Data Breach Affected 100K Customers, Employees**

Hackers Claim Second Dell Data Breach in One Week

A hacker claims Dell suffered a “minor” breach, exposing over 10,000 employee records. The incident raises cybersecurity concerns…

A hacker claims Dell suffered a “minor” breach, exposing over 10,000 employee records. The incident raises cybersecurity concerns amid ongoing threats targeting businesses by tricking employees into phishing and phone call scams.

A hacker using the alias “grep” claims that the technology giant Dell has experienced a “minor” data breach, resulting in the theft of over ten thousand (10,863) employee records.

This information was revealed by the hacker on the notorious hacker and cybercrime platform Breach Forums, where the allegedly stolen data was leaked earlier today, September 19, 2024. The hacker also claims that the breach occurred earlier this month.

The hacker on Breach Forums (Screenshot: Hackread.com)

The Hackread.com research team managed to analyze the data, which revealed the leak contained the following information:

*   **Full names**
*   **Employee** **ID**: A unique identifier for the employee.
*   **Employee Active Status**: Indicates whether the employee is currently active
*   **Employee DNO**: This may represent a department number or another internal identifier.
*   **Internal Employee ID**: A unique internal identifier that seems to be a hashed or encoded value.

There are only two email addresses associated with the @Dell.com domain. However, the good news is that there are no plain text passwords or other personally identifiable information (PII) included.

Screenshot from the leaked data (Credit: Hackread.com)

The bad news is that the leaked information still presents a major cybersecurity threat to Dell. Here’s how:

Recently, cybercriminals and state-backed hackers have been targeting businesses and organizations **through their employees**. A notable attack was uncovered by cybersecurity firm GuidePoint, which affected over 130 U.S. organizations across various industries. **The campaign** employed social engineering tactics, with threat actors posing as IT support staff to call employees and trick them into revealing their VPN credentials.

Dell’s alleged “minor” breach could provide threat actors with additional details about the company’s employees, making them more susceptible to phishing attempts or phone scams, as mentioned above.

****Wouldn’t be the first time for Dell****

This is not the first time Dell has made headlines for cybersecurity-related issues. In May 2024, the Round Rock, Texas-based company **disclosed a data breach** after another hacker on a breach forum attempted to sell 49 million alleged customer records.

Although the company did not disclose the exact number of affected customers at that time, the compromised data included full names, physical addresses, Dell hardware and order information, including service tags, item descriptions, order dates, and related warranty information.

Hackread.com has reached out to Dell, and this article will be updated accordingly if the company responds. Stay tuned!

1.  **Hacker Leaks Data of 33,000 Accenture Employees**
2.  **Acer Online Store Hacked; 34,000 Customers’ Data Stolen**
3.  **Hacker Leaks Thousands of Microsoft and Nokia Employee Data**
4.  **Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets**
5.  **Nissan Confirms Data Breach Affected 100K Customers, Employees**

Hacker Claims “Minor” Data Breach at DELL; Leaks Over 10,000 Employee Details

PRESS RELEASE

REDWOOD CITY, Calif., Sept. 11, 2024 /PRNewswire/ -- According to a recently published report from Dell'Oro Group, the trusted source for market information about the telecommunications, security, networks, and data center industries, the Network Security market showed signs of recovery in 2Q 2024, growing 6 percent year-over-year (Y/Y) to reach $5.9 billion and breaking a streak of six consecutive quarters of deceleration. This growth was primarily driven by solid demand for cloud-native security solutions and virtual firewalls, which saw a 17 percent increase. In contrast, hardware-based solutions experienced their fourth consecutive quarter of decline, dropping 2 percent.

"The Network Security market's performance in 2Q 2024 reaffirms the enduring shift towards cloud-centric architectures," said Mauricio Sanchez, Sr. Director, Enterprise Security and Networking at Dell'Oro Group. "The firewall segment serves as a microcosm of this transformation. While overall firewall revenue grew modestly at 2 percent, virtual firewalls surged by 22 percent as physical firewall sales struggled. This stark contrast in growth rates within a single product category underscores how enterprises consistently favor flexible, cloud-native security solutions to address their evolving needs."

Additional highlights from the 2Q 2024 Network Security Quarterly Report:

*   The Infrastructure Security market, comprising firewalls, Security Service Edge (SSE), and traditional Secure Web Gateway (SWG) appliances, achieved nearly $5 billion, marking a mid-single-digit growth.
    
*   The Application Security and Delivery market, including Application Delivery Controllers (ADC) and Web Application Firewall (WAF) segments, experienced high single-digit growth, reaching $1.2 billion, primarily driven by robust WAF sales that offset the weakness of ADCs.
    
*   SSE revenue increased to nearly $1.5 billion, with the top three vendors – Zscaler, Palo Alto Networks, and Broadcom – controlling almost 60 percent of the market.
    
*   WAF revenue rose 18 percent, driven by a 25 percent growth in SaaS-based WAF solutions.
    
*   High-end physical firewalls showed signs of stabilization with a slight 1 percent revenue growth, potentially indicating a turning point after several quarters of decline.
    

About the Report  
The Dell'Oro Group Network Security Report includes manufacturers' revenue covering the ADC, Firewall, SSE, traditional SWG appliances, and WAF product segments. Moreover, SSEs are further broken down across four primary functions: CASB, FWaaS, SWG, and ZTNA. The report also splits many segments by form factor: physical, virtual, and SaaS. To purchase this report, please contact us at \[email protected\].

About Dell'Oro Group  
Dell'Oro Group is a market research firm that specializes in strategic competitive analysis in the telecommunications, security, enterprise networks, and data center markets. Our firm provides in-depth quantitative data and qualitative analysis to facilitate critical, fact-based business decisions. For more information, contact Dell'Oro Group at +1.650.622.9400 or visit https://www.delloro.com.

You May Also Like

Tag

#dell