Sign in / up

back to article ESET denies it was compromised as Israeli orgs targeted with 'ESET-branded' wipers

ESET denies being compromised after an infosec researcher highlighted a wiper campaign that appeared to victims as if it was launched using the Slovak security shop's infrastructure. Kevin Beaumont blogged about an Israeli biz that said it was infected with a wiper after a staffer clicked a link in an email seemingly sent from …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. ACZ

    If emails are passing SPF and DKIM then *something* has been compromised - DNS control, outgoing mailserver, AD, etc etc

    The statement from ESET says that "ESET was not compromised and is working closely with its partner [the Israeli partner company]". So basically the partner company in Israel was compromised. What does the partner company do? - just sales, or R&D etc. as well? And was the Israeli partner isolated from the main ESET network? Possibility of network traversal?

    10 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Sadly not necessarily, DMARC with SPF+DKIM is broken.

      Due to the way both are specified, using them together(as is nearly mandated) opens up possible spoofing. Microsoft being one of the main clowns enabling this issue, as you could bounce messages through azure/outlook.com and whitewash the checks. The problem at it's heart being that in DMARC if it passes either it "passes". There isn't the ability to set granular enough policy to define one that says it must pass both, or from which domains each will work with what keys.

      Subdomain issues are also huge concerns with the current system, as many companies use remailers like Mailchump and ConstantCrapware, which request wildcard authorization. So if anyone in the chain if trust includes an expired domain, your organization is screwed.

      So ESET and it's Israeli affiliate may have dropped the ball, or the message may have been slipped past the checks by other means. The messages would show some information in the headers, but unfortunately, most mail clients would include the results of the failed or supicious checks in the headers and still mark it a PASS per the policy rules, meaning the user never saw the warning, only the IT team doing mop up.

      This is broken in specification and needs to be fixed, but even if it is, getting the major players to update their systems is a decade long nightmare. So this will probably go on for some time.

      3 0 Reply
  2. carbon unit
    Alert

    whats with the !

    Is it just me? whenever i see a scam email, they always like to reveal the irony of the message with a nice negating !

    0 2 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like