Fake F5 BIG-IP zero-day warning emails push data wipers


The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers.

Israel’s National Cyber Directorate (INCD) acts as the CERT responsible for protecting the country from cyber threats and to warn organizations and citizens about known attacks.

Since October, Israel has been heavily targeted by pro-Palestinian and Iranian hacktivists, who have been conducting data theft and data-wiping attacks on organizations in the country.

In November, a new data wiper called BiBi Wiper was discovered that targeted both Linux and Windows devices and is believed to have been created by pro-Hamas hacktivists.

Fake F5 update deploys wiper

Yesterday, INCD warned of a new phishing attack deploying data wipers through emails pretending to be a warning about a zero-day vulnerability in F5 BIG-IP devices.

A pro-Palestinian hacktivist group named Handala told BleepingComputer that they were responsible for the phishing attack, stating it was deployed on numerous Israeli networks. BleepingComputer has not been able to confirm these claims independently.

The phishing email warns that the F5 BIG-IP zero-day vulnerability is actively exploited in attacks, urging Israeli organizations to download and install a security update before their network is breached.

Phishing email pushing fake F5 BIG-IP update
Phishing email pushing fake F5 BIG-IP update
Source: INCD

For Windows users, the email pushes an executable named F5UPDATER.exe [VirusTotal], and for Linux, the file is a shell script named update.sh [VirusTotal].

When launched, both the Windows and Linux versions attempt to impersonate an F5 security update by displaying the company’s logo on the screen.

For example, the Windows wiper will display a small screen branded with the F5 logo that pretends to be a security update installer.

Windows data wiper impersonating F5 security update
Windows data wiper impersonating F5 security update
S​​​​​ource: BleepingComputer

When the Update button is clicked, the wiper will send a message containing the information above the device to a Telegram channel and attempt to wipe all the data from the computer.

However, in BleepingComputer’s tests, the wiper is a bit buggy, not deleting all of the data on a computer.

The Linux wiper is a shell script that first downloads the programs necessary to wipe the computer, which are xfsprogswipe, and parted.

Linux wiper's data wiping routine
Linux wiper’s data wiping routine
Source: BleepingComputer

These programs are used first to remove all users on the system and then use the ‘wipe’ command to delete the associated home directions.

The wiper will then attempt to delete all operating system files and the partitions on the Linux device. When done, the Linux computer is rebooted to cause the partition changes to go into effect.

Like the Windows wiper, the Linux version will communicate with a Telegram channel to provide information about the device and status updates.

Data wipers have become a massive problem for Israel, with hacktivists commonly using them in destructive attacks to disrupt Israel’s operations and economy.

As always, the best defense is only to download files from email if they come from a trusted and confirmed source. Furthermore, security updates should only be downloaded directly from a hardware vendor, not third-party sites.



Source link