Targeted F5 Vulnerability 'Update' Delivers Wiper to Israeli Victims

Israel's National Cyber Directorate (NCD) has issued an "urgent warning" about a targeted email campaign impersonating F5 Networks that delivers a dangerous wiper malware.

The lure for the attack is a critical authentication bypass vulnerability in F5's BIG-IP, disclosed in late October. At the time, F5 said one way to resolve the vulnerability was to download and run a special shell script file on the BIG-IP system.

In the message, the attacker capitalized on this, informing the recipient that an attached file is the update for the vulnerability. The emails are sent from "cert @ f5.support," and the file is generically named "update.zip." The download actually contains a wiper that deletes any F5 servers that admins run it on, according to the agency's alert. The good news is that the malware is unable to move laterally from server to server, so the extent of any given attack is dependent on the admin running the file on multiple instances.

According to the analysis, the file identifier for each attack is unique to each victim, as is the URL to download the payload. The NCD said this will make identifying other attacks more difficult.

It was not clear how many detections there have been so far, or who has been specifically targeted.