ESET Brand Attack Targets Israel; Company denies compromise

Security firm ESET refutes reports that cyberattackers have compromised its platforms and used them to attack customers in Israel with dangerous wiper malware.

“We are aware of a security incident that affected our partner company in Israel last week,” it said recognized on X, formerly known as Twitter. “Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology blocks the threat and our customers are safe. ESET has not been compromised and is working closely with its partner to conduct further investigations and we continue to monitor the situation.”

Security researcher Kevin Beaumont (aka Gossi the Dog) sparked the backlash after blogging about a malicious email from an ESET user posted in the ESET user forum. The email was flagged as malicious and had the subject “Government-backed attackers may be trying to compromise your device!” It was said to be from the ESET team and provided additional protection against an ongoing attack:

Source: ESET User Forum.

The email contained a .ZIP attachment that was unzipped when opened destructive wiper malware which is similar to that used by Handala According to the person who flagged the email for Beaumont, it is a threat group. Handala, so named after political cartoon character that embodies the national identity of the Palestinian people has become known Attack on Israeli organizations after the Hamas attacks on October 7th and the resulting war with data-destroying deletion programs.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

Beaumont noted: “I managed to get the email passes both DKIM and SPF checks for coming from the ESET shop,” he said in the Blog. “Furthermore, the link actually leads to backend.store.eset.co.il – owned by ESET Israel.”

This led him to this complete via Mastodon: “ESET Israel has definitely been compromised. This thing is fake ransomware that is communicating with an Israeli news organization server for some reason.”

ESET has now categorically refuted this statement, suggesting that the cyber attackers used some kind of MO Bypass anti-spoofing measures for the email and the .ZIP link. ESET did not immediately respond to a request for comment from Dark Reading.

The campaign is now blocked for ESET customers.