A suspected, state-sponsored Iranian threat group has attacked an airline with a never-before-seen backdoor. 

On Wednesday, cybersecurity researchers from IBM Security X-Force said an Asian airline was the subject of the attack, which likely began in October 2019 until 2021.  The advanced persistent threat (APT) group ITG17, also known as MuddyWater, leveraged a free workspace channel on Slack to harbor malicious content and to obfuscate communications made between malicious command-and-control (C2) servers.  “It is unclear if the adversary was able to successfully exfiltrate data from the victim environment, though files found on the threat actor’s C2 server suggest the possibility that they may have accessed reservation data,” IBM says.  The Slack messaging Application Program Interface (API) was abused by a new backdoor deployed by the APT named “Aclop.” Aclip is able to harness the API to both send data and receive commands – with system data, screenshots, and files sent to an attacker-controlled Slack channel.  Overall, three separate channels were used by the backdoor to quietly exfiltrate information. Once installed and executed, the backdoor collected basic system data including hostnames, usernames, and IP addresses which were then sent to the first Slack channel after encryption.  The second channel was utilized to check for commands to execute, and the results of these commands – such as file uploads – were then sent to the third Slack workspace. 

While a new backdoor, Aclip is not the only malware known to abuse Slack – which should be of note to enterprise teams as the tool is valuable for those now often working from home or in hybrid setups. Golang-based Slack C2bot also leverages the Slack API to facilitate C2 communications, and the SLUB backdoor uses authorized tokens to talk to its C2 infrastructure. In a statement, Slack said, “We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service.” “We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Maria Diaz/ZDNETApple has disabled its most advanced data security feature, Advanced Data Protection (ADP), for UK users following a government request for access to encrypted data.Apple, a staunch opponent of encryption backdoors, chose to disable Advanced Data Protection (ADP) for UK users last Friday. ADP, which provides end-to-end encryption to ensure only account holders can access their iCloud data, is no longer available in the country. Also: The best VPN services (and how to choose the right one for you)Since its deactivation, any UK-based Apple user attempting to enable the feature is met with an error message. More

The Washington State Department of Licensing reported a cyber incident last week that may have exposed the sensitive information of more than 250,000 professionals in the state. The agency said in a statement that it “became aware of suspicious activity involving professional and occupational license data” during the week of January 24.   The Professional Online Licensing and Regulatory Information System (POLARIS) system that was affected stores information ranging from social security numbers, dates of birth and driver license numbers to other personally identifying information. “We immediately began investigating with the assistance of the Washington Office of Cybersecurity. As a precaution, DOL also shut down the Professional Online Licensing and Regulatory Information System (POLARIS) to protect the personal information of professional licensees. At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information. All other DOL systems are operating normally,” the agency said. “If our investigation concludes that your personal information has been accessed, DOL will notify you and provide you with further assistance.”State Sen. Reuven Carlyle told The Seattle Times that he has been briefed on the issue, with the agency telling him that the Office of Cybersecurity became concerned after someone on the dark web claimed to have accessed the data. By the afternoon of January 24, the agency decided to shut down the licensing system entirely. The agency said it is working with the state’s Office of Cybersecurity to protect the licensing data and bring POLARIS back online. The department issues licenses for 39 types of businesses and professions, including cosmetology, real estate brokers, bail bondsmen, architects and more. The licenses are processed, issued and renewed in POLARIS.

A call center has been created for businesses trying to renew their licenses and the agency said it will not fine companies trying to renew their license during the outage. The state Attorney General’s Office keeps a running tally of the data breaches exposing information from citizens of the state. The website shows that in the attacks reported in 2022, more than 21,500 Washingtonians have been affected.  More

Prakhar Khanna/ZDNETFollow ZDNET: Add us as a preferred source More

Image: Zoom, ZDNet Zoom Tips from techrepublic Teleconferencing app Zoom announced today plans to revamp its bug bounty program as part of its long-term plan to improve the security of its service. The company has hired Luta Security, a company specialized in managing sustainable vulnerability disclosure and bug bounty programs. Luta Security is helmed by […] More