urlscan.io logo urlscan.io
SecurityTrails logo

www.zdnet.com Open in urlscan Pro
2a04:4e42:4c::666  Public Scan

Back to summary
Submitted URL: https://www.zdnet.com/article/suspected-iranian-hackers-target-airline-with-new-backdoor/#ftag=rssbaffb68
Effective URL: https://www.zdnet.com/article/suspected-iranian-hackers-target-airline-with-new-backdoor/
Submission: On December 17 via api from GB — Scanned from GB

Form analysis 1 forms found in the DOM

GET https://www.zdnet.com/search/

<form class="header-search" method="get" action="https://www.zdnet.com/search/">
  <label for="header-search-field" class="hidden">What are you looking for?</label>
  <input type="search" id="header-search-field" title="query" autocomplete="off" placeholder="What are you looking for?" tabindex="1" name="q" value="" class="smart-search-input">
  <button type="submit" class="search-button" data-omniture-track="moduleClick" data-omniture-track-data="{&quot;moduleInfo&quot;: &quot;Header-Search&quot;, &quot;pageType&quot;: &quot;article&quot;}"> Go </button>
</form>

Text Content

 * 
 * CXO
 * Hardware
 * Microsoft
 * Storage
 * Innovation
 * Apple
 * Security
 * Newsletters
 * Blogs
 * Menu More
    * CXO
    * Hardware
    * Microsoft
    * Storage
    * Innovation
    * Apple
    * Security
    * Networking
    * Data Centers
    * Art of the Hybrid Cloud
    * Mobility
    * See All Topics
    * Newsletters
    * Blogs
    * Downloads
    * Reviews
    * Galleries
    * Videos

 * Edition: UK
    * Asia
    * Australia
    * Europe
    * India
    * United Kingdom
    * United States
    * ZDNet France
    * ZDNet Germany
    * ZDNet Korea
    * ZDNet Japan

 * 
 * What are you looking for? Go
   
 * Join / Log In
 * Account
    * Preferences
    * Community
    * Newsletters
    * Log Out

must read: Python, Java, Linux and SQL: These are the hot tech skills employers
are looking for


SUSPECTED IRANIAN HACKERS TARGET AIRLINE WITH NEW BACKDOOR

The attack was performed by abusing the Slack workspace application.

 * 
 * 
 * 
 * 
 * 
 * 
 * 


Written by Charlie Osborne, Contributor

Charlie Osborne Contributor

Charlie Osborne is a cybersecurity journalist and photographer who writes for
ZDNet and CNET from London. PGP Key: AF40821B.

Full Bio
Posted in Zero Day on December 16, 2021 | Topic: Security

A suspected, state-sponsored Iranian threat group has attacked an airline with a
never-before-seen backdoor. 




SECURITY

 * Log4j threat: What you need to know and how to protect yourself
 * Ransomware in 2022: We're all screwed
 * Microsoft Patch Tuesday: Zero-day exploited to spread Emotet malware
 * Kronos hit with ransomware, warns of data breach and 'several week' outage
 * The best VPNs for small and home-based businesses in 2021

On Wednesday, cybersecurity researchers from IBM Security X-Force said an Asian
airline was the subject of the attack, which likely began in October 2019 until
2021.  

The advanced persistent threat (APT) group ITG17, also known as MuddyWater,
leveraged a free workspace channel on Slack to harbor malicious content and to
obfuscate communications made between malicious command-and-control (C2)
servers. 

"It is unclear if the adversary was able to successfully exfiltrate data from
the victim environment, though files found on the threat actor's C2 server
suggest the possibility that they may have accessed reservation data," IBM
says. 

The Slack messaging Application Program Interface (API) was abused by a new
backdoor deployed by the APT named "Aclop." Aclip is able to harness the API to
both send data and receive commands – with system data, screenshots, and files
sent to an attacker-controlled Slack channel. 

Overall, three separate channels were used by the backdoor to quietly exfiltrate
information. Once installed and executed, the backdoor collected basic system
data including hostnames, usernames, and IP addresses which were then sent to
the first Slack channel after encryption. 

The second channel was utilized to check for commands to execute, and the
results of these commands – such as file uploads – were then sent to the third
Slack workspace. 



While a new backdoor, Aclip is not the only malware known to abuse Slack – which
should be of note to enterprise teams as the tool is valuable for those now
often working from home or in hybrid setups. Golang-based Slack C2bot also
leverages the Slack API to facilitate C2 communications, and the SLUB backdoor
uses authorized tokens to talk to its C2 infrastructure.

In a statement, Slack said, "We investigated and immediately shut down the
reported Slack Workspaces as a violation of our terms of service."

"We confirmed that Slack was not compromised in any way as part of this
incident, and no Slack customer data was exposed or at risk. We are committed to
preventing the misuse of our platform and we take action against anyone who
violates our terms of service."


PREVIOUS AND RELATED COVERAGE

 * Airlines warn passengers of data breach after aviation tech supplier is hit
   by cyberattack
   
 * American Airlines just made a startling admission about the future
   
 * What airlines are saying about the return of business travel
   

--------------------------------------------------------------------------------

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or
over at Keybase: charlie0

--------------------------------------------------------------------------------


Security TV | Data Management | CXO | Data Centers
Show Comments
LOG IN TO COMMENT
 * My Profile
 * Log Out

| Community Guidelines


JOIN DISCUSSION


Add Your Comment
Add Your Comment


RELATED

 * 
 * 
 * 
 * 
 * 

 * Hackers pretending to be Iranian govt steal credit card infomation and create
   botnet
   
   

 * Crypto exchange leader Binance bolsters user safeguards with new audit
   program
   
   

 * Hackers are using this new malware that hides between blocks of junk code
   
   

 * Now with 200 million users, Android 12 Go gets new features
   
   

 * Kickstart a new developer career even if you're a total beginner with this
   $30 e-learning bundle
   
   

 * 7 million monthly active avatars will get rights to shape the future of the
   Metaverse with new token
   
   

 * Best gifts for hackers: Cybersecurity presents, secured
   
   

 * The best Instant Pot accessories in 2021
   
   

 * Best surge protector 2021: Protect your tech!
   
   



ZDNet
Connect with us


© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy |
Cookie Settings | Advertise | Terms of Use

 * Topics
 * Galleries
 * Videos
 * Sponsored Narratives
 * Do Not Sell My Information

 * About ZDNet
 * Meet The Team
 * All Authors
 * RSS Feeds
 * Site Map
 * Reprint Policy

 * Manage | Log Out
 * Join | Log In
 * Membership
 * Newsletters
 * Site Assistance
 * ZDNet Academy

Cookie Settings