On Wednesday, cybersecurity researchers at IBM’s Security X-Force confirmed that an Asian airline was the target of a cyberattack conducted by a suspected state-sponsored Iranian threat group. The attack likely began in October 2019 and lasted until 2021. The attack leveraged a never-before-seen backdoor, according to researchers. Researchers suspect the advanced persistent threat group known as ITG17 and MuddyWater to be behind the attack. The group leveraged a free workspace channel on Slack to host malicious content and obfuscate communications between command-and-control servers.
Researchers stated that it is unclear if the APT was able to steal data from the victim’s environment, however, files discovered on the threat actor’s servers suggest the possibility that they were able to access reservation data. Three separate channels were used by the backdoor to exfiltrate information such as hostnames, IP addresses, usernames, and more. The backdoor, called Aclip, is not the only malware known to abuse Slack in cyberattacks. Slack C2bot also leverages the Slack API to facilitate malicious C2 communications. Slack reported that it investigated and immediately shut down the affected workspaces upon hearing of the attack. No Slack customer data was exposed or at risk as a result of the cyberattack.
Read More: Suspected Iranian hackers target airline with new backdoor