The National Cyber Authority has issued a warning of an Iranian phishing attack that includes emails attempting to convince individuals and organizations to download a security update, which is in fact malicious software that will steal or erase data. A researcher from the Authority, in cooperation with a commercial firm, found that the attack was backed by an Iranian offensive hacking group.
Security product provider F5 announced that the attack can appear to be from many different organizations. The attacking message claims that a critical security update is available, and it must be downloaded from an attached link. The Authority found that executing such an attack required significant preparatory work by the hacking group, including the identification of relevant technical personnel in the organizations targeted, who have been designated as targets for such a message. The target was chosen with the aim of embedding malicious software in all of the target organization's servers. The link contains two malicious files that will run programs to collect data and to wipe all data on the server's organizational network.
The attack uses email addresses that appear benign at first glance, but have strange endings, and exploits the announcement by F5 to convince the target of the need to download and run a specific file to protect their network. The goal is to persuade those who would otherwise refuse, and for this purpose, the message can also include falsified statements by F5 and information on the targeted networks, including its IP address.
The warning from the National Cyber Authority details the research on the malicious files, ways to identify the attack, and identifying traits to block from the targeted network. The Authority calls on organizations to take steps to block attacks before they happen, to report similar messages, and to avoid clicking on links before checking them.