Novel Flax Typhoon campaign exploited ArcGIS for extended persistence

Chinese state-backed threat operation Flax Typhoon, also known as RedJuliett and Ethereal Panda, has converted a hijacked internet-exposed ArcGIS server, which is a widely used geo-mapping app, into a backdoor without being detected for over a year, The Hacker News reports.

Threat actors leveraged a breached portal administrator account to compromise the ArcGIS server with an illicit Java server object extension, with the web shell enabling not only network discovery operations and persistence, but also the creation of a service that facilitates automated binary launches upon rebooting, according to an analysis from ReliaQuest.

Additional scanning allowed subsequent targeting of a pair of workstations, from which credentials were obtained to facilitate further network compromise. Attackers were then able to infiltrate the admin account and conduct password resets.

"This attack highlights not just the creativity and sophistication of attackers but also the danger of trusted system functionality being weaponized to evade traditional detection," said ReliaQuest researchers.