Fake F5 BIG-IP Zero-Day Warning Emails Push Data Wipers

Cyber Threat Summary:
Israel’s National Cyber Directorate (INCD) recently disclosed a new phishing campaign that is distributing Windows and Linux data wipers via emails pretending to be a warning about a zero-day vulnerability in F5 BIG-IP devices. According to INCD, the emails push out an executable named F5UPDATER[.]exe for Windows users, while a shell script named update[.]sh is used for Linux users. Once launched, both the executable and script are designed to display a security update installer impersonating F5. On Windows, if the user clicks on the update button, the wiper will send a message to a Telegram channel containing information on the host and proceed to wipe all of the data on the targeted computer. As for the Linux wiper, INCD notes that the script will first download programs like xfsprogs, wipe, and parted, which are then used to remove all users on the system and delete all associated home directories, files, and partitions.

Security Officer Comments:
Since the start of the Hamas-Israeli conflict, Israel has been the target of cyberattacks launched by pro-Palestinian and Iranian hacktivists. Just last month, these hacktivist groups were observed using a new data wiper called BiBi Wiper to conduct data-wiping attacks against Israeli targets.

A pro-Palestinian hacktivist group named Handala has claimed responsibility for the latest set of wipers. According to tests conducted by researchers, the wipers are still buggy and aren’t capable of deleting all of the data on the victim’s system. This might indicate that the actors are still developing these strains.

Suggested Correction(s):
Have backups of mission-critical data and be careful not to download files in emails that come from unknown senders. Also, security updates should be downloaded directly from the official vendor, as actors are known for creating bogus sites containing download links impersonating popular software to infect unsuspecting visitors.