A Chinese state-sponsored hacking group, identified as Flax Typhoon—also known as Ethereal Panda and RedJuliett—has been implicated in a sophisticated cyber espionage campaign that compromised an ArcGIS server, maintaining unauthorized access for over a year. This group is believed to be associated with Integrity Technology Group, a publicly-traded company based in Beijing.
According to cybersecurity firm ReliaQuest, Flax Typhoon ingeniously transformed a Java server object extension (SOE) within the ArcGIS application into a functional web shell. By embedding a hardcoded key to restrict access and integrating the malicious SOE into system backups, the attackers ensured persistent control that could withstand full system recoveries.
Flax Typhoon is renowned for its stealthy operations, extensively utilizing living-off-the-land (LotL) techniques and direct keyboard interactions. This approach allows them to exploit legitimate software components for malicious purposes while evading detection. The group’s tactics underscore a growing trend among cyber adversaries: leveraging trusted tools and services to circumvent security measures and gain unauthorized access, all while blending seamlessly with normal server traffic.
Attack Methodology:
The attack commenced with Flax Typhoon targeting a publicly accessible ArcGIS server. By compromising a portal administrator account, they deployed a malicious SOE. This extension, activated through a standard ArcGIS feature known as JavaSimpleRESTSOE, allowed the attackers to execute commands on the internal server via the public portal, making their activities challenging to detect. The inclusion of a hardcoded key ensured exclusive control, preventing interference from other potential attackers or even system administrators.
Once the web shell was operational, the attackers conducted network reconnaissance and established persistence by uploading a renamed SoftEther VPN executable, bridge.exe, into the System32 directory. They then created a service named SysBridge to automatically launch this binary upon each server reboot. The bridge.exe process initiated outbound HTTPS connections to an attacker-controlled IP address on port 443, effectively creating a covert VPN channel to an external server.
This VPN bridge enabled the attackers to extend the target’s local network to a remote location, making it appear as though they were part of the internal network. This tactic allowed them to bypass network-level monitoring, facilitating further lateral movement and data exfiltration.
Targeted Exploitation:
Flax Typhoon specifically targeted two workstations belonging to IT personnel to obtain credentials and deepen their infiltration into the network. Investigations revealed that the adversaries had access to administrative accounts and were capable of resetting passwords, further solidifying their control over the compromised systems.
Implications and Recommendations:
This attack highlights the creativity and sophistication of modern cyber adversaries and the inherent risks of trusted system functionalities being weaponized to evade traditional detection methods. It underscores the necessity for organizations to not only monitor for overtly malicious activities but also to recognize how legitimate tools and processes can be manipulated for nefarious purposes.
To mitigate such threats, organizations should:
– Regularly Update and Patch Systems: Ensure that all software, especially publicly accessible applications like ArcGIS, are up-to-date with the latest security patches.
– Implement Strong Access Controls: Enforce strict access controls and regularly review administrative accounts to detect unauthorized changes.
– Monitor Network Traffic: Utilize advanced monitoring tools to detect unusual network activities, such as unexpected outbound connections or the creation of new services.
– Conduct Regular Security Audits: Perform periodic security assessments to identify and remediate potential vulnerabilities within the network infrastructure.
By adopting these proactive measures, organizations can enhance their resilience against sophisticated cyber threats like those posed by Flax Typhoon.
