{"id":5380,"date":"2025-10-15T12:36:27","date_gmt":"2025-10-15T12:36:27","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5380"},"modified":"2025-10-15T12:36:27","modified_gmt":"2025-10-15T12:36:27","slug":"flax-typhoon-exploited-arcgis-to-gain-long-term-access","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5380","title":{"rendered":"Flax Typhoon exploited ArcGIS to gain long-term access"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>An advanced persistent threat (APT) group, Flax Typhoon, was able to gain persistent access to the mapping tool ArcGIS for over a year, putting several enterprises at risk.<\/p>\n<p>ArcGIS is a geospatial platform developed by ESRI, often relied upon by organizations to understand and analyze data in a geographic context.<\/p>\n<p>China-based Flax Typhoon, also known as Ethereal Panda, modified the geo-mapping application\u2019s Java server object extension (SOE) into a functioning web shell, according to new research from ReliaQuest.<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3631635\/us-government-sanctions-chinese-cybersecurity-company-linked-to-apt-group.html?utm=hybrid_search\">Flax Typhoon<\/a> had gated access with a hardcoded key for exclusive control and embedded it in system backups. This helped the actor in achieving deep, long-term persistence that could survive a full system recovery. It prioritized persistence, lateral movement, and credential harvesting, typically gaining initial access by exploiting public-facing servers, deploying web shells, and establishing VPN connections, noted the company.<\/p>\n<p>\u201cThe tactics are getting more sophisticated in compromising and manipulating trusted components or tools such as PowerShell or custom SoEs or public-facing portal connects instead of building and injecting a malware,\u201d said Neil Shah, vice president at Counterpoint Research. \u201cThis could thus go undetected as there is some form of already established baseline or higher level of trust regarding security and is whitelisted by enterprises with onus on the application or tool developer.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Turning ArcGIS into a web shell<\/h2>\n<p>The activity began with modifying an ArcGIS server SOE to behave as a web shell, ReliaQuest <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-inside-flax-typhoons-arcgis-compromise\/\" target=\"_blank\" rel=\"noopener\">explained<\/a>. The attackers found a public-facing ArcGIS server that was connected to a private, internal ArcGIS server for backend computations (a common default configuration). It then executes base64-encoded (disguised) commands to the portal server, consistent with this proxying model. \u00a0<\/p>\n<p>For initial execution, actors sent a malicious GET web request with a base64-encoded payload in the layer parameter. Decoded, it resolved to \u201ccmd.exe \/c mkdir C:WindowsSystem32Bridge,\u201d instructing the server to create a hidden system directory named Bridge. This serves as a private workspace for the attackers. A hardcoded key was appended to the request, which was required to trigger the web shell and execute commands.<\/p>\n<p>This was followed by repeatedly abusing this same web shell to run additional encoded PowerShell commands, routed through the same \u201cJavaSimpleRESTSOE\u201d extension and \u201cgetLayerCountByType\u201d operation. This consistent method allowed them to advance their objectives while blending in with normal server traffic.<\/p>\n<p>Learning the web shell worked, the threat actor used discovery commands like \u201cwhoami\u201d to discover the compromised service account with local administrator rights and created new directories to serve as a staging area for the tools they would use later.<\/p>\n<p>Activity was ramped up by scanning the internal network over various protocols, including <a href=\"https:\/\/www.csoonline.com\/article\/3966334\/public-exploits-already-available-for-a-severity-10-erlang-ssh-vulnerability-patch-now.html?utm=hybrid_search\">Secure Shell (SSH)<\/a>, HTTPS, <a href=\"https:\/\/www.csoonline.com\/article\/3623709\/nail-the-software-setup-and-avoid-attacks-with-the-top-10-cybersecurity-misconfiguration-list.html?utm=hybrid_search\">Server Message Block (SMB)<\/a>, and <a href=\"https:\/\/www.csoonline.com\/article\/4037515\/win-ddos-researchers-unveil-botnet-technique-exploiting-windows-domain-controllers.html?utm=hybrid_search\">Remote Procedure Call (RPC)<\/a>, and conducting several SMB scans across different internal subnets. Next, to establish long-term access, the renamed SoftEther VPN executable \u201cbridge.exe\u201d was uploaded into the default Windows System32 directory, which reduced the chances of detection. The malicious SOE also provided ongoing access, and given that it was on the ArcGIS server for an extended period, it was stored in the victim\u2019s backups as well.<\/p>\n<h2 class=\"wp-block-heading\">Who is at risk?<\/h2>\n<p>In the first documented case confirmed by ArcGIS, where the malicious SOE was used, ReliaQuest identified that the password for the ArcGIS portal administrator account was a <a href=\"https:\/\/www.csoonline.com\/article\/547462\/microsoft-subnet-hackers-use-pathetic-passwords-just-like-everyone-else.html\">leet password<\/a> of unknown origin, suggesting that the attacker had access to the administrative account and was able to reset the password.<\/p>\n<p>\u201cAny organization that uses ArcGIS in a networked environment, if it is exposed externally or to other enterprise data systems, is at risk,\u201d said Devroop Dhar, co-founder and MD at Primus Partners. \u201cThe main risk is that attackers can use a compromised extension to maintain access and take out sensitive data. As ArcGIS is widely used in mapping, logistics, and public-sector planning, the data it has can be sensitive, like network maps, population records, and infrastructure layouts.\u201d<\/p>\n<p>As a result, for most enterprises, the concern is not just immediate disruption but also silent observation. If an attacker sits inside a system that tracks infrastructure or logistics, that is a serious intelligence advantage.<\/p>\n<p>\u201cTo verify if compromised, organizations should start by taking a complete inventory of all ArcGIS Server versions in their environment and enumerating every Server Object Extension (SOE) and Server Object Interceptor (SOI) in use,\u201d said Amit Jaju, senior managing director \u2013 India at Ankura Consulting. \u201cThen they should compare these against known source and vendor hash values to detect unauthorized changes. Conduct a detailed hunt for any anomalous SOE JAR files or class structures, hardcoded tokens or encryption keys, suspicious admin activity logs, and web shell indicators identified by security researchers.\u201d<\/p>\n<p>Jaju added that CISOs should not overlook backups or AMIs, and verify that they aren\u2019t seeded with malicious SOEs and confirm the integrity of your golden images.<\/p>\n<p>For remediation, immediately isolate affected ArcGIS servers, rotate all related service accounts and secrets, and apply strict least-privilege controls to ArcGIS service identities. \u201cRebuild compromised systems only from known-good media, redeploying extensions that are both signed and independently reviewed. Where possible, enforce code-signing validation for all SOEs to prevent tampering. Finally, strengthen your monitoring posture, add detections specifically for SOE abuse and abnormal ArcGIS administrative endpoint activity, and diversify your threat intelligence sources by subscribing to multiple feeds rather than relying solely on KEV,\u201d added Jaju.<\/p>\n<h2 class=\"wp-block-heading\">Trusted software is the new attack surface<\/h2>\n<p>Security analysts say that the Flax Typhoon case highlights a worrying evolution in the weaponization of trusted components rather than the deployment of conventional malware.<\/p>\n<p>In 2023, the same group targeted dozens of organizations in Taiwan with the likely intention of performing espionage, reported\u00a0 <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/08\/24\/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations\/\">Microsoft<\/a>. In 2020, SolarWinds was targeted by hackers. They deployed malicious code into <a href=\"https:\/\/www.csoonline.com\/article\/570191\/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html\">SolarWinds<\/a> Orion IT monitoring and management software that was used by thousands of enterprises and government agencies worldwide.<\/p>\n<p>In March 2023, <a href=\"https:\/\/www.csoonline.com\/article\/575125\/3cx-hack-highlights-risk-of-cascading-software-supply-chain-compromises.html\">3CX<\/a> suffered a serious software supply-chain compromise that resulted in both its Windows and macOS applications being poisoned with malicious code.<\/p>\n<p>According to experts, threat actors have realized that compromising a trusted vendor module gives them free access. As a result, vendor software should not be treated as safe by default. \u201cTrusted platforms also need continuous verification. Regular code-integrity checks, tighter monitoring of vendor updates, and periodic pen testing of integrated systems are essential,\u201d added Dhar.<\/p>\n<p>CISOs should also push vendors to provide transparency and clarity, like SBOMs (Software Bills of Materials), details of their own security testing and disclosure protocols, Dhar said. \u201cIt is also important to separate privileges; just because a module comes from a trusted vendor does not mean it needs access to everything in the network.\u201d<\/p>\n<p>Using AI efficiently to real-time monitor any anomaly in behavioral analytics, comparing with a longish history rather than a slice in time is critical added Shah.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>An advanced persistent threat (APT) group, Flax Typhoon, was able to gain persistent access to the mapping tool ArcGIS for over a year, putting several enterprises at risk. ArcGIS is a geospatial platform developed by ESRI, often relied upon by organizations to understand and analyze data in a geographic context. China-based Flax Typhoon, also known [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5381,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5380","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5380"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5380"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5380\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5381"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}