"According to the U.S. government, it's assessed to be a publicly-traded, Beijing-based company known as Integrity Technology Group. "The group cleverly modified a geo-mapping application's Java server object extension (SOE) into a functioning web shell," the cybersecurity company said in a report shared with The Hacker News. "By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery.""
"The "unusually clever attack chain" involved the threat actors targeting a public-facing ArcGIS server by compromising a portal administrator account to deploy a malicious SOE. 'The attackers activated the malicious SOE using a standard [JavaSimpleRESTSOE] ArcGIS extension, invoking a REST operation to run commands on the internal server via the public portal-making their activity difficult to spot,' ReliaQuest said. 'By adding a hard-coded key, Flax Typhoon prevented other attackers, or even curious admins, from tampering with its access.'"
Chinese state-sponsored group Flax Typhoon (aka Ethereal Panda/RedJuliett), assessed as Integrity Technology Group, compromised a public-facing ArcGIS server and maintained access for over a year. The actors modified a Java server object extension (SOE) into a functioning web shell, gated by a hardcoded key and embedded in system backups to survive recovery. They compromised a portal administrator account to deploy the malicious SOE and used the JavaSimpleRESTSOE extension and REST operations to run internal commands via the public portal. Flax Typhoon relies on living-off-the-land methods and hands-on-keyboard activity, abusing trusted tools to evade detection and maintain persistence.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]