Skip to main content

Nation-State Attackers Targeted Airline With New Backdoor

posted onDecember 20, 2021
by l33tdawg
Flickr
Credit: Flickr

A threat group targeted an unnamed Asain airline with a previously unknown backdoor, which abused a feature in Slack to obfuscate operational communication, according to a new report. Researchers linked the activity to ITG17 (also known as MuddyWater), an Iran-linked nation-state group, known for targeting governments primarily in the Middle East and South Asia for espionage purposes.

Though researchers first observed the cyberattack in March, the malicious activity tracks back to October 2019, after the backdoor was first deployed. The backdoor, which is named “Aclip,” is written in PowerShell scripting language. In order to receive commands and send data, the backdoor used a legitimate functionality in the Slack messaging Application Program Interface (API), which allows apps and services to be developed that can be integrated with the messaging platform. Here, the attackers created a workspace and channels where they could receive system information, including requested files and screenshots, post commands to the backdoor and receive commands.

“The threat actor employed a variety of techniques to maintain access to the environment to avoid detection, including the abuse of legitimate services such as Slack through the use of the Aclip backdoor,” said Richard Emerson, senior analyst with IBM X-Force Threat Intelligence. “The threat actor leveraged compromised credentials to VPN into the environment, tunneled remote access tool traffic over non-standard ports, and had redundant access to the environment through the use of web shells on different servers, in case their other methods of access were discovered. Their job of maintaining access also got easier when they obtained domain admin privileges in the environment.”

Source

Tags

Security

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th