According to a report of Israel's National Cyber Center, Israeli companies have been recently targeted in a phishing scheme leveraging the fraudulent email address cert[@]f5[.]support. The email address impersonates a purported CERT for the American company F5.
The emails deliver a fraudulent alert urging the recipients to download an update that remediates the recent F5 BIG-IP vulnerabilities.
The attack targets both Linux - with a link enabling a wget command that retrieves a Bash script (update.sh) - and Windows - enabling download of a malicious executable - F5UPDATER.exe - serving as a stager.
The attack chain culminates with deployment of a wiper and leakage of the data of the impacted servers on an attacker-controlled Telegram channel.
According to an analysis released by Intezer, command-and-control has been geolocated in Chelyabinsk, Russia.
Comments