HQ/EMEAFind out how we can help your business
The Israel National Cyber Directorate (INCD) warns Israeli organisations about a sophisticated phishing attack that leverages a fake F5 BIG-IP zero-day patch. The attackers behind this campaign are the alleged pro-Palestinian hacktivist group Handala.
The group claimed responsibility for deploying data wipers through deceptive emails on numerous Israeli networks. Moreover, the phishing emails in the recent attacks impersonate an urgent security update that insists that Israeli organisations download and install an F5 BIG-IP zero-day vulnerability patch to prevent potential network breaches.
The malicious payload comes as an executable file named F5UPDATER.exe for Windows users, while the attackers target Linux users with a shell script named update.sh.
The fake F5 BIG-IP zero-day patch is a legitimate update for both operating systems.
According to investigations, both versions of the fake F5 BIG-IP zero-day patch cleverly mimic an F5 security update. In addition, the campaign operators display the company’s logo to generate a false sense of legitimacy.
The Windows variant, for instance, presents a screen decorated with the F5 logo, posing as a security update installer. However, upon clicking the deceptive “Update” button, the wiper activates and sends device information to a Telegram channel before attempting to wipe all data from the infected computer.
In the Linux incident, the wiper infection takes a more systematic approach. To facilitate the wiping process, the shell script first downloads essential programs, including xfsprogs, wipe and parted.
This technique could then eliminate all users on the system and utilise the ‘wipe’ command to erase associated home directories. Subsequently, the wiper targets the OS’s files and partitions, resulting in a reboot to implement partition changes on the compromised device. Like its Windows counterpart, the Linux version C2 server is a Telegram channel that provides device information and status updates.
Hacktivist groups frequently employ these destructive tools to execute espionage against their targeted countries, disrupting operations and undermining the country’s economy.
As a precautionary measure, users should be cautious when downloading email files. Everyone should ensure the download file originates from a trusted and confirmed source. Finally, security updates should only come from hardware vendors; hence, companies should avoid getting patches from third-party sites to mitigate the risk of such elaborate phishing schemes.
