October 18, 2024 at 02:27PM
Hackers breached ESET’s Israeli partner, sending phishing emails to businesses that disguised data wipers as antivirus software. The emails, appearing legitimate, originated from the compromised eset.co.il domain. Malicious files included legitimate DLLs and a harmful Setup.exe. The attack aimed to disrupt, reflecting ongoing cybersecurity threats in Israel.
**Meeting Takeaways: ESET Phishing Campaign and Data Wiper Attack**
1. **Incident Overview**:
– Hackers breached ESET’s exclusive partner in Israel, Comsecure, leading to a phishing campaign that started on October 8th, which targeted Israeli businesses with disguised data wipers masquerading as antivirus software.
2. **Nature of Data Wipers**:
– Data wipers are malware that delete all files on a computer and corrupt partition tables, complicating data recovery.
3. **Phishing Email Details**:
– Emails spoofed ESET’s logo and were sent from the legitimate eset.co.il domain, indicating a compromise of ESET’s Israel division’s email server.
– The emails claimed to originate from “ESET’s Threat Intelligence Division” and falsely warned recipients about government-backed attackers targeting their devices.
4. **Malicious Offer**:
– The phishing emails promoted an advanced antivirus tool named “ESET Unleashed,” suggesting it was part of ESET’s Advanced Threat Defense program. The email claimed recipients could install it on multiple devices.
5. **Domain Authentication**:
– The phishing emails passed SPF, DKIM, and DMARC authentication checks, adding to their legitimacy.
6. **Malicious Download**:
– Links in the phishing emails directed users to a ZIP archive hosted on the eset.co.il domain, which has since been disabled.
– The archive contained legitimate DLL files alongside a malicious executable (Setup.exe), which functions as the data wiper.
7. **Testing of Malicious Software**:
– Initial attempts to test the malicious executable on a virtual machine failed, while cybersecurity expert Kevin Beaumont successfully executed it on a physical machine, revealing its malicious behavior.
8. **Impact and Scope**:
– It is currently unclear how many companies were affected by this phishing campaign or how Comsecure was compromised.
– The attack has not been directly attributed to any specific threat actor.
9. **Historical Context**:
– Data wipers have been used in previous attacks against Israel, with notable incidents in 2017 and 2023 linked to Iranian threat actors, aimed at causing disruption rather than financial gain.
10. **Next Steps**:
– Continued monitoring of the situation, gathering information from Comsecure, and strengthening cybersecurity measures must be prioritized to mitigate further risks.