Threat actors linked to China have been identified in a new operation that infiltrated an ArcGIS system, transforming it into a backdoor for over a year. The group behind this cyber espionage is known as Flax Typhoon, also referred to as Ethereal Panda or RedJuliett, and is believed to be associated with a publicly traded company, Integrity Technology Group, based in Beijing.
According to ReliaQuest, the cybersecurity firm investigating this breach, the attackers ingeniously altered a geo-mapping application to create a web shell. They secured this backdoor access using a hardcoded key embedded in the system’s backups, allowing for prolonged persistence that could withstand complete system restorations.
Flax Typhoon’s method reflects their reliance on "living-off-the-land" techniques, which involve using legitimate software tools and processes for malicious purposes, thus avoiding typical detection methods. The attack specifically targeted a public-facing ArcGIS server by compromising a portal administrator account to introduce the malicious Java server object extension (SOE).
The cybercriminals executed their plan by deploying a standard ArcGIS extension that allowed them to run commands on the server via its public portal, complicating detection efforts. By incorporating a hardcoded access key, they further secured their operations by preventing tampering from other potential attackers or even system administrators.
Once access was gained, the attackers utilized their web shell to conduct network exploration, establish persistence by uploading a modified SoftEther VPN executable ("bridge.exe") into the server’s "System32" folder, and create a service called "SysBridge" to ensure the executable launched automatically upon each server restart. This executable was intended to establish outbound HTTPS connections to a server controlled by the attackers, effectively creating a covert VPN link to facilitate unauthorized access to the internal network.
The group specifically aimed at two IT personnel workstations to harvest credentials and deepen their infiltration. Findings from further investigations revealed that the attackers had access to an administrative account and managed to reset passwords for additional entry.
This incident underscores both the creativity and sophistication of modern cyber threats, as it showcases how attackers can manipulate legitimate functions within trusted systems to elude conventional security measures. Recognizing the potential for legitimate tools and processes to be weaponized highlights the need for stronger defensive strategies against evolving cyber threats.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.