Iranian Threat Actor Uses Slack API to Target Asian AirlinePassenger Reservation Data May Have Been Leaked, Researchers Say
An Iranian state-sponsored threat group is using free workspaces on messaging platform Slack to deploy a backdoor in an Asian airline's system, according to researchers.
The backdoor, dubbed Aclip, may have enabled the threat actor to access the airline's passenger reservations data, an IBM Security X-Force report says.
The backdoor, it says, sends system information, files and screenshots of the data on the victim systems to its command-and-control server, corresponding to the commands received.
"It is unclear if the adversary was able to successfully exfiltrate data from the victim's environment, although files found on the threat actor's command and control (C2) server suggest the possibility that they may have accessed reservation data," the report says.
The threat actor's focus was surveillance, as only files with "reservation management" in their names were found on the threat actor's C2 server, the report says. It does not disclose the contents of the exfiltrated archive files.
Speculating on the threat actor's motives, Sam Curry, CSO of cybersecurity company Cybereason, tells ISMG that "hotel and movement data can be used for traffic analysis, network inference and a lot of extrapolation."
"If two CEOs fly to a city, stay at a hotel, then leave right away, there is a strong chance they know each other and might be contemplating a big deal. That is information that can be used for insider trading. The same applies to generals or politicians meeting somewhere. As part of a quest for data to use strategically, airline information is valuable. Then again, it could just be about getting cash since airlines move large transactions and the credit cards used have higher yields," he says.
With "moderate confidence," the researchers suspect the threat actors to be part of Iranian nation-state group MuddyWater. They say they analyzed the tools, tactics and infrastructure of the bad actor from 2019 to 2021 to arrive at the conclusion. Also called TEMP.Zagros, Static Kitten, Seedworm and Mercury, the threat actor is known for espionage operations in the Middle East and nearby areas (see: Espionage Is Goal of Iranian Phishing Campaign).
Slack Shuts Abused Workspaces
While Slack did not respond to Information Security Media Group's request for comments, the company told the researchers that it had "investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service."
"We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service."
Using a legitimate, commonly used platform such as Slack for command and control gives actors an opportunity to camouflage their malware traffic and make it unnoticeable to security analysts, the report says.
The tactic has been deployed in multiple instances and across multiple messaging platforms, especially since the start of the COVID-19 pandemic (see: Fraudsters Flooding Collaboration Tools With Malware).
While Slack has previously been used to deliver malware, in the latest case, the platform's API was used to deliver the Aclip backdoor, the researchers say.
The Aclip Backdoor
The backdoor gets its name from a Windows batch script named 'aclip.bat.' It establishes persistence by adding a registry key and launches automatically upon system startup of the infected device, according to the report.
After successful installation, the backdoor collects basic system information - including hostname, username and the external IP address - and encrypts the data with Base64 and exfiltrates it to the threat actor, the report says. Further commands, it adds, are executed to connect Aclip to a different channel on the actor-controlled Slack workspace.
Overall, there are three Slack channels, the researchers say: The basic exfiltrated information is sent to the first one, further execution commands are received on the second, and requested files are uploaded to using the Slack files[.]upload API using the third.
Aclip also has a screenshot functionality that uses PowerShell's graphic library and is saved to %TEMP% directory until exfiltration. After the images have been uploaded to the C2, they are deleted from the library, according to the report.
The researchers' analysis also found two custom tools - a backdoor 'Win32Drv.exe' and the web shell 'OutlookTR.aspx - that affirmed the researchers' suspicion of MuddyWater's involvement. The group has used the tools in its earlier campaigns, they say.
Defending against threats based on collaboration tools is difficult due to the amount of traffic involved. Thus, raising a defensive mechanism against it is tougher, the researchers say.
The report suggests strengthening PowerShell security, as this script allows the attack to become intrusive in the first place. The countermeasures include:
- Update PowerShell to the newest stable version and disable earlier versions;
- Control access to PowerShell by limiting the users who are capable of running certain commands and functions;
- Monitor PowerShell logs, including module logging records;
- Prevent the use of PowerShell for remote execution by either disabling or restricting Windows Remote Management Service;
- Create and use YARA rules to detect malicious PowerShell scripts.
Jonathan Knudsen, senior security strategist at cybersecurity company Synopsys Software Integrity Group, says preventing such attacks requires a holistic approach.
He recommends a focused and ongoing education program to reduce employee susceptibility to phishing attacks, as well as network segmentation and implementation of a zero trust strategy to impede attackers’ lateral movement. And he says applying defense-in-depth and deny-by-default principles will increase the effort required for a breach.
"Securing the software supply chain is critical. For organizations building software, this means making security part of every phase of software development … using automated security testing tools to locate and eliminate vulnerabilities [and] managing the third-party and open-source components that go into an application and understanding where they come from and what vulnerabilities they have," Knudsen tells ISMG.
"Buyers [of software] need to know that builders have used a secure development life cycle and will need to see evidence of testing and artifacts such as a software bill of materials, or SBOM. You wouldn’t buy food without knowing its ingredients and its origin; the same principle applies to buying software."
Cybereason's Curry says that there is no shame in being targeted as a vector for transmission.
"Hackers are pulled to the most powerful and ubiquitous software, and successful applications are successful because of these qualities. What matters is the security maturity of these platforms, from Microsoft to Apple and from WhatsApp to Slack," he tells ISMG.