Search This Blog

Powered by Blogger.

Blog Archive

Labels

Slack API Exploited by Iranian Threat Actor to Attack Asian Airline

According the tools, methods, and infrastructure observed on the network from 2019 to 2021, the threat actor used free Slack workspaces in the attack.

 

According to IBM Security X-Force, the Iran-linked advanced persistent threat (APT) attacker MuddyWater has been discovered establishing a backdoor that exploits Slack on the network of an Asian airline. 

The hacking gang, also known as MERCURY, Seedworm, Static Kitten, and ITG17, predominantly targets throughout the Middle East and other regions of Asia. 

MuddyWater successfully infiltrated the networks of an undisclosed Asian airline in October 2019, according to IBM X-Force, with the detected activities continuing into 2021. 

According to IBM's security researchers, the adversary used a PowerShell backdoor named Aclip, which uses a Slack communication API for command and control (C&C) operations such as communication and data transmission. 

Provided that numerous different Iranian hacking groups got access to the very same victim's infrastructure in far too many cases, IBM X-Force suspects that the other adversaries were also associated in this operation, particularly considering that Iranian state-sponsored malicious actors have already been targeting the airline industry – primarily for monitoring purposes – for at least a half-decade. 

A Windows Registry Run key has been exploited in the observed event to permanently perform a batch script, which then runs a script file (the Aclip backdoor) using PowerShell. The malware could collect screenshots, acquire system information, and exfiltrate files after receiving commands via attacker-created Slack channels. 

The attacker guarantees that malicious traffic mixes in along with regular network traffic while using Slack for communication. Other virus groups have also leveraged the collaborative application for similar objectives. 

Following notification of the malicious activities, Slack initiated an investigation and removed the reported Slack workspaces. 

“We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” Slack said.

IBM's researchers are certain that the malicious actor is behind the activities based on custom tools used throughout the attack, TTP overlaps, used infrastructure, and MuddyWater's previous targeting of the transportation sector.
Share it:

Airline

API

Cyber Attacks

Iranian

Slack