ESET Partner Breached to Send Data Wipers to Israeli Orgs
Summary:
Last Friday, ESET announced on X (formerly known as Twitter) that it is aware of a security incident that affected its partner company in Israel. Notably, a phishing campaign initiating on October 8th was observed, where emails branded with ESET’s logo were sent from eset[.]co[.]il, a legitimate domain that is operated by ESET’s Israel distributor, Comsecure. While ESET did not disclosed much details, Bleeping Computer shared a sample email that was observed as part of this campaign. The email pretends to be ESET's Advanded Threat Defense Team," warning customers that government-backed attackers are trying to target the recipient's device. To “help” the recipient protect their device, the email offers a advanced antivirus tool called “ESET Unleased,” which in this case can be accessed using a “personal download link” that is provided in the email body. Interestingly, the link leads to a Zip archive which is hosted on the eset[.]co[.]il domain, adding a sense of legitimacy. Inside this archive is four DLL files digitally signed by ESET’s legitimate code signing certificate, as well as a Setup[.]exe executable, which is this case is a data wiper. Bleeping Computer which ran this wiper on a machine noted that the executable automatically crashed. However security researcher Kevin Beaumont had better success by running it on a physical PC, stating that the executable reaches out to a legitimate Israeli news site for some unknown reason. The executable employs various techniques to evade detection and uses a Mutex from Yanluowang extortion/ransomware group, highlighting a potential affiliation or connection.
Security Officer Comments:
Given that the emails were sent from the legitimate eset[.]co[.]il, Bleeping Computer suspects that the Israel division's email server was likely breached as part of the attack. With the email originating from the legitimate email servers, this was able to effectively pass SPF, DKIM, and DMARC authentication tests.
At the time of writing, it is unclear how many companies were targeted in this campaign. Beaumont notes that most of the emails have targeted cybersecurity personnel within organizations across Israel.
This is not the first time Israel has been the target of data wiper attacks. In 2017, anti-Israel & pro-Palestinian data wiper dubbed IsraBye was employed in attacks on Israeli organizations. Furthermore, Israel suffered a wave of BiBi wiper attacks in 2023 targeting organizations, including in the education and technology sectors. Majority of these attacks were linked to Iranian backed actors, whose end goal was to cause havoc and disrupt Israel’s economy.
Suggested Corrections:
The email campaign was blocked within ten minutes, according to ESET. Furthermore, the URLs employed in this campaign have been taken offline. The security vendor is currently working with the impacted partner to investigate the scope of the attack. Note: ESET was not compromised and its customers are secure.
Beaumont has shared relevant file hashes which can be accessed using the link below:
https://doublepulsar.com/eiw-eset-i...e-attacks-targeting-israeli-orgs-b1210aed7021
Link(s):
https://www.bleepingcomputer.com/ne...breached-to-send-data-wipers-to-israeli-orgs/
Last Friday, ESET announced on X (formerly known as Twitter) that it is aware of a security incident that affected its partner company in Israel. Notably, a phishing campaign initiating on October 8th was observed, where emails branded with ESET’s logo were sent from eset[.]co[.]il, a legitimate domain that is operated by ESET’s Israel distributor, Comsecure. While ESET did not disclosed much details, Bleeping Computer shared a sample email that was observed as part of this campaign. The email pretends to be ESET's Advanded Threat Defense Team," warning customers that government-backed attackers are trying to target the recipient's device. To “help” the recipient protect their device, the email offers a advanced antivirus tool called “ESET Unleased,” which in this case can be accessed using a “personal download link” that is provided in the email body. Interestingly, the link leads to a Zip archive which is hosted on the eset[.]co[.]il domain, adding a sense of legitimacy. Inside this archive is four DLL files digitally signed by ESET’s legitimate code signing certificate, as well as a Setup[.]exe executable, which is this case is a data wiper. Bleeping Computer which ran this wiper on a machine noted that the executable automatically crashed. However security researcher Kevin Beaumont had better success by running it on a physical PC, stating that the executable reaches out to a legitimate Israeli news site for some unknown reason. The executable employs various techniques to evade detection and uses a Mutex from Yanluowang extortion/ransomware group, highlighting a potential affiliation or connection.
Security Officer Comments:
Given that the emails were sent from the legitimate eset[.]co[.]il, Bleeping Computer suspects that the Israel division's email server was likely breached as part of the attack. With the email originating from the legitimate email servers, this was able to effectively pass SPF, DKIM, and DMARC authentication tests.
At the time of writing, it is unclear how many companies were targeted in this campaign. Beaumont notes that most of the emails have targeted cybersecurity personnel within organizations across Israel.
This is not the first time Israel has been the target of data wiper attacks. In 2017, anti-Israel & pro-Palestinian data wiper dubbed IsraBye was employed in attacks on Israeli organizations. Furthermore, Israel suffered a wave of BiBi wiper attacks in 2023 targeting organizations, including in the education and technology sectors. Majority of these attacks were linked to Iranian backed actors, whose end goal was to cause havoc and disrupt Israel’s economy.
Suggested Corrections:
The email campaign was blocked within ten minutes, according to ESET. Furthermore, the URLs employed in this campaign have been taken offline. The security vendor is currently working with the impacted partner to investigate the scope of the attack. Note: ESET was not compromised and its customers are secure.
Beaumont has shared relevant file hashes which can be accessed using the link below:
https://doublepulsar.com/eiw-eset-i...e-attacks-targeting-israeli-orgs-b1210aed7021
Link(s):
https://www.bleepingcomputer.com/ne...breached-to-send-data-wipers-to-israeli-orgs/