"Researchers at ReliaQuest say that the espionage outfit, which Microsoft tracks as a China-based state-sponsored actor, modified a legitimate ArcGIS server object extension (SOE) to act as a web shell, giving them long-term, near-invisible access. By exploiting ArcGIS' extensibility features while avoiding traditional, signature-based malware, Flax Typhoon embedded itself so deeply that even restoring systems from backups simply reinstalled the implant."
"The SOE component was modified to accept base64-encoded commands passed through REST API parameters, and the attackers secured their access with a hardcoded secret key, ensuring that only they could communicate with it. Flax Typhoon leveraged valid credentials - reportedly a portal administrator account - to deploy the malicious extension. That allowed them to mask their activity as routine system operations, slipping under many defenders' radar."
A China-based state-sponsored cybergang, Flax Typhoon, modified a legitimate ArcGIS server object extension (SOE) into a web shell to gain long-term, near-invisible access. The attackers exploited ArcGIS extensibility and avoided signature-based malware, embedding the implant so deeply that restoring systems from backups reinstalled the malicious component. The SOE accepted base64-encoded commands via REST API parameters and required a hardcoded secret key for access. Deployment used valid credentials, reportedly a portal administrator account, allowing activity to appear as routine operations and slip past many defenders. Compromising ArcGIS risks geospatial, infrastructure, and environmental systems, and backups can become a reinfection vector.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]