Summary:
Researcher has received urgent reports regarding a targeted phishing campaign posing as F5, a cybersecurity company. The attacker, through deceptive emails, includes a link to download a file claiming to be a critical update but, in reality, installs a Wiper malware on the user's system. The notice provides specific details about the attack, including the email address used by the attacker emphasizes the genuine email address of F5's SIRT team . The attacker exploits social engineering tactics, leveraging technical personnel in targeted organizations to download and execute the malicious file, claiming to address critical vulnerabilities in F5 equipment.[/subscribe_to_unlock_form]
Summary:
Researcher has received urgent reports regarding a targeted phishing campaign posing as F5, a cybersecurity company. The attacker, through deceptive emails, includes a link to download a file claiming to be a critical update but, in reality, installs a Wiper malware on the user's system. The notice provides specific details about the attack, including the email address used by the attacker emphasizes the genuine email address of F5's SIRT team . The attacker exploits social engineering tactics, leveraging technical personnel in targeted organizations to download and execute the malicious file, claiming to address critical vulnerabilities in F5 equipment.[emaillocker id="1283"]
The attacker's email contains a PNG file that serves as the notification. The attacker directs the recipient to download a file, either "update.zip" for Windows servers or "update.sh" for Linux servers, both of which are disguised as F5 updates. To enhance credibility, the attacker provides external IP addresses allegedly associated with F5 equipment. The attack capitalizes on a recent F5 advisory that mentioned the option to download and execute a Shell Script file as part of addressing critical vulnerabilities. Once executed, the malware, varying in versions for Windows and Linux, wipes the servers, requiring administrator privileges. The attacker communicates the need for these privileges in the email. Notably, the attack aims to persuade users that they are performing a genuine update to their F5 equipment.
Organizations are urged to block communication from the attacker's email address and domain, employing security measures such as SIEM, email filtering, file download filtering, AV, and EDR systems. The notice advises updating the national cyber system if any of the identified indicators are found within organizational systems. While the files and URLs may differ in reported attacks, the attack pattern remains consistent. Caution is advised against activating similar links, as the attackers may vary file identities. The phishing campaign does not possess inherent capabilities for network propagation, relying on user-initiated actions. Additionally, the attackers broadcast information about the compromised server through a Telegram channel, adding another layer of concern and potential impact. As a proactive measure, it is crucial for organizations to stay informed, update their cybersecurity systems, and exercise caution when handling unsolicited emails and downloads.
Threat Profile:
References:
The following reports contain further technical details:
[/emaillocker]