(TLP:CLEAR) Chinese State-Sponsored Threat Actors Exploit ArcGIS Systems for Persistent Access

Summary: Yesterday, researchers at ReliaQuest reported that the Chinese threat group known as Flax Typhoon gained access to an ArcGIS system and maintained access for over a year by exploiting legitimate software functionality. The group modified a legitimate Java Server Object Extension (SOE) within ArcGIS into a web shell, enabling covert command execution and long-term system control. At the time of writing, no CVE has been publicly assigned to this vulnerability.

Analyst Note: Flax Typhoon is a Chinese state-sponsored Advanced Persistent Threat (APT) group that has been operational since at least mid-2021. Like other Chinese-affiliated groups, Flax Typhoon utilizes living-off-the-land (LOTL) techniques by using legitimate tools of a target system to remain undetected for prolonged periods. This newly discovered backdoor in ArcGIS is another demonstration of how these threat actors operate, by abusing trusted tools and services to bypass security measures and gain unauthorized access to victims’ systems and blend in with normal server traffic.

WaterISAC encourages members to remain vigilant in their security monitoring efforts as Chinese-affiliated threat actors such as Flax Typhoon primarily target critical infrastructure organizations across various sectors, including water and wastewater systems. Furthermore, members are encouraged to review the report from ReliaQuest, which includes defensive lessons from this innovative attack and the steps this threat actor took to maintain year-long persistence.

Original Source: https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise

Additional Reading:

• Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year

Related WaterISAC PIRs: 6, 7, 7.1, 10, 12