Iranian hacking group suspected of targeting an airline with a new backdoor. According to IBM Security X-Force, an Asian airline was attacked by the suspected Iranian hacking group which started in October 2019 until 2021.
The hacking group ITG17, also known as MuddyWater carried out an attack on a free workspace channel on Slack to harbor malicious content and confuse communications made between malicious command-and-control (C2) servers.
According to IBM, “It is unclear if the adversary was able to successfully exfiltrate data from the victim environment, though files found on the threat actor’s C2 server suggest the possibility that they may have accessed reservation data.”
The hackers managed to hack into the Slack messaging Application Program Interface (API) with a new backdoor deployed by the APT named “Aclip.” The APT is able to control the API to send data and receive commands with system data, screenshots, and files sent to an attacker-controlled Slack channel.
The hackers managed to deploy three channels for the backdoor to quietly exfiltrate information. The backdoor once installed and executed collected basic system data including hostnames, usernames, and IP addresses which were then sent to the first Slack channel after encryption.
The other channel was used to check for commands to execute and results from these commands like file uploads were sent to a third Slack workspace.
The new backdoor, Aclip, is known to abuse Slack, which is a valuable tool especially now when people work from home or in hybrid setups. Slack C2bot, a golang-based Slack also leverages the Slack API to facilitate C2 communications, while the SLUB backdoor uses authorized tokens to talk to its C2 infrastructure.
Slack in a statement said, they have investigated the situation and have immediately shut down the reported Slack Workspaces as a violation of our terms of service.
Slack further said, “We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service.”