ESET denies it was compromised as Israeli orgs targeted with 'ESET-branded' wipers

Related Eset forum posting here: https://forum.eset.com/topic/42733-...ay-be-trying-to-compromise-your-device-email/

My take on this is if there was any compromise, it was related to Eset's Israeli subsidiary although this hasn't been publicly confirmed.

It appears to me this was a phished e-mail with a link to download a hacked version of Eset. The source of the e-mail could have been from anywhere.

 

Interesting for sure. Wonder if we will get the full story at some point.

 

I got the link from the forum email and what VT shows: https://www.virustotal.com/gui/url/...a440efe8a64456dbbac379330f709bb4f38/detection and the link is being blocked even using my VPN being in Israel.

 

No one at VT is currently detecting the .zip file download: https://www.virustotal.com/gui/file...ca164b45700047197269f015cea3ca70b54d6/details . All that the .zip file contains is an embedded JavaScript file.

 

Further details here: https://www.bleepingcomputer.com/ne...breached-to-send-data-wipers-to-israeli-orgs/ .

Of note;

Bottom line - Eset corp. servers were not breached.

 

Following your posted link got Eset on my system sending file for analysis:

 

Which link you referring to? The bleepingcomputer.com link?

What is strange is if I try to access the malicious download site: https://backend.store.eset.co[.]il/pub/2eb524d79ce77d5857abe1fe4399a58d/ESETUnleashed_081024.zip, I get a Cloudflare blocked access alert. Problem is I am not using Cloudflare DNS or DoH servers. Alert must be originating from Eset Israeli eStore web site.

 

First upload was for bleepingcomputer link.
Accessing this thread now triggered two uploads on my system, one for a link and another for whole thread page

 

Strange. I am not receiving any Eset Virus Lab uploads on bleepingcomputer link or when reviewing web page details. I am using ESSP 17.2.8.

 

I still get files uploaded each time I visit this thread or bleepingcomputer link. I use Eset Nod32 AV 17.2.8.

This are my settings:

 

Note that your "Automatic submission of detected samples" is set to "Do not submit." As such, I would think there should be no submissions to Eset Virus Lab occurring. There might also be an issue with browser you are using causing this activity. I am using Firefox. I am also running Firefox in Eset Secure all browsers mode.

-EDIT- What I did notice is when I access the bleepingcomputer.com article w/Secure all browsers disabled, I observe tsmxx.eset.com network activity. This usually occurs when Eset detects suspicious network activity with whatever detected being auto submitted to LiveGrid for analysis. Note that this is separate and different monitoring activity than submissions to Eset Virus Lab.

Also, did you disable NOD32 HTTPS scanning? That could be related to this Virus Lab submission issue.

If this issue is not browser related, I would say that either there's an issue with your NOD32 installation or there's a bug in NOD32. For starters, you could reinstall NOD32 and see if this activity persists. If it does, post in the Eset forum about these Eset Virus Lab submissions.

 

I have only disabled option Submission of detected samples. I have left option Submission of suspicious samples enabled for some types of files. If I disable sending of those too, nothing is sent to ESET. Since they classify those files as suspicious that is IMO expected behaviour.
Since I don't find this behaviour as "issue", I won't try to "fix" it. If ESET finds those files suspicious they can upload it to their servers if they want. They can also upload it as many times as they want