top of page
Buscar

The Flax Typhoon Ravaged ArcGIS County for Over a Year

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 2 días
  • 3 Min. de lectura
ree

For over a year, a Chinese-sponsored campaign silently transformed ArcGIS servers into hidden backdoors. The operation, led by the group known as Flax Typhoon (also tracked as Ethereal Panda or RedJuliett), showcased a sophisticated use of legitimate software components to maintain persistence and evade detection. By modifying an ArcGIS Java Server Object Extension (SOE) into a functioning web shell, secured by a hardcoded access key and embedded in backups, the attackers achieved long-term infiltration without relying on software vulnerabilities — exploiting instead a weakness in security practices.


Phase 1: The Silent Infiltration 


Flax Typhoon began by compromising portal administrator accounts on public-facing ArcGIS servers.

The initial access likely came through weak or reused credentials rather than zero-day exploits, aligning with the group’s preference for stealth over aggression. Once inside, the attackers modified the legitimate JavaSimpleRESTSOE component — an ordinary ArcGIS extension — turning it into a malicious web shell that could execute commands remotely via REST operations.

Because this activity appeared as standard ArcGIS traffic, it blended into normal server behavior and remained invisible to most monitoring systems.


Phase 2: Turning the Server Against Itself 


With control of the compromised ArcGIS environment, Flax Typhoon established persistence by embedding the altered SOE in system backups, ensuring it would survive even after a full server recovery.

They uploaded a disguised SoftEther VPN executable (“bridge.exe”) into the System32 directory, then created a SysBridge service that automatically restarted with every reboot.

This service connected outbound via HTTPS (port 443) to attacker-controlled infrastructure, creating a covert VPN bridge between the victim’s internal network and the threat actor’s remote servers.

Through this encrypted channel, Flax Typhoon could conduct network discovery, lateral movement, credential harvesting, and data exfiltration — all while appearing to operate within legitimate processes.


Phase 3: Living Off the Land 


Flax Typhoon leveraged living-off-the-land (LotL) techniques to sustain access without triggering alerts.

Rather than deploying noisy malware or exploiting new vulnerabilities, the group repurposed the victim’s own software architecture and trusted processes.

By embedding the backdoor in routine backup mechanisms, they achieved long-term stealth, evading detection by endpoint protection tools and security scans.

The persistence mechanism also allowed them to reinfect systems automatically after resets or restorations, guaranteeing uninterrupted access for more than a year.


Phase 4: Exfiltration and Control 


The covert VPN bridge enabled a continuous stream of outbound HTTPS traffic to attacker-controlled IP addresses, effectively extending the victim’s internal network into Flax Typhoon’s infrastructure.

From there, they performed lateral movement across IT environments, targeting administrator workstations to escalate privileges, reset passwords, and collect sensitive information including configuration files, backups, credentials, GIS datasets, and virtual machine snapshots.



Measures to fend off such threats:


  • Audit ArcGIS SOEs and system backups for unknown or unsigned extensions.

  • Remove suspicious binaries and services (e.g., SysBridge, bridge.exe).

  • Rotate administrative credentials and enforce MFA for portal access.

  • Restrict external management interfaces (HTTP/HTTPS/SSH).

  • Patch and update ArcGIS servers regularly.

  • Monitor outbound HTTPS and VPN traffic for anomalous tunneling behavior.

  • Deploy EDR solutions capable of detecting persistence and covert network activity.


This stage demonstrated a clear focus on data persistence and espionage, not financial gain, aligning with Flax Typhoon’s state-linked objectives.

The Flax Typhoon operation exemplifies a new generation of stealth campaigns — ones that exploit trust and configuration, not code. By reusing legitimate components, embedding persistence in backups, and leveraging system tools, the attackers bypassed conventional defenses and gained unmatched durability.

To defend against similar campaigns, organizations must focus on proactive detection and hygiene rather than reactive patching.



The Hacker News


 
 
 

Comentarios

bottom of page