EXECUTIVE SUMMARY:
A China-based advanced persistent threat (APT) group, Flax Typhoon, has demonstrated a cyber-espionage technique by compromising a widely used ArcGIS server. This attack exemplifies the group's ability to exploit legitimate software components to establish covert, long-term access to targeted systems. The breach remained undetected for highlighting significant concerns regarding the security of public-facing applications.
Flax Typhoon exploited a public-facing ArcGIS server by first compromising a portal administrator account. The attackers then deployed a malicious Java Server Object Extension (SOE), transforming it into a functional web shell. Access to this web shell was secured with a hardcoded key, ensuring exclusive control and preventing unauthorized tampering. To achieve persistence, the compromised SOE was embedded in system backups, allowing the threat actors to maintain access even after system restorations. This method enabled them to execute commands, conduct network discovery, and harvest credentials across multiple hosts, all while blending in with normal server traffic and evading traditional detection mechanisms.
The Flax Typhoon campaign underscores the need for organizations to reassess their security postures concerning public-facing applications. Traditional security measures, such as signature-based detection, proved inadequate against this novel attack vector. It is imperative for organizations to implement proactive threat hunting, focusing on unusual behavior within legitimate tools, and to treat all public-facing applications as high-risk assets. By doing so, they can better defend against threats that exploit trusted software components.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1505.003 | Server Software Component | Web Shell |
| Credential Access | T1003.002 | OS Credential Dumping | Security Account Manager |
| Discovery | T1087.001 | Account Discovery | Local Account |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: