Hackers exploited a vulnerability in an ArcGIS server by using valid administrator credentials to upload a malicious Java Server Object Extension (SOE), which functioned as a web shell with a hardcoded secret key for exclusive access.

The attack involved compromising a public-facing ArcGIS server through a portal administrator account, deploying the malicious SOE, and executing commands via REST to avoid detection, effectively turning the system into a weapon for further malicious activities.

The threat actor behind this campaign is Flax Typhoon, a Chinese state-backed cyber espionage group with a history of targeting critical infrastructure in the U.S., Taiwan, and Europe since at least 2021, often using legitimate tools to maintain long-term access.

Flax Typhoon has previously been linked to large-scale botnets and has been sanctioned by U.S. authorities, emphasizing its significant threat level and persistent focus on espionage.

Given its activity patterns, Flax Typhoon is likely to re-emerge, continuing its focus on espionage and infrastructure targeting.

This campaign highlights how attackers increasingly abuse legitimate tools and services to evade detection, conduct lateral movement, and exfiltrate data, underscoring the need for vigilant monitoring of manipulated but seemingly legitimate activities.

ReliaQuest warns that the core vulnerability is not specific to ArcGIS but pertains to the broader risk posed by external integrations and third-party components in enterprise systems, urging organizations to treat all entry points as high risk.

Hackers used the VPN to conduct lateral movement, network scanning, credential dumping, and data exfiltration, often bypassing detection even after web shell removal.

The attack exploited weaknesses in software deployment and management, revealing a gap between built-in security features and real-world configurations.

The threat actors attempted privilege escalation and credential harvesting, including targeting the Security Account Manager (SAM) database and Active Directory, indicating active lateral movement.

Researchers discovered that Flax Typhoon modified a legitimate ArcGIS server object extension (SOE) to act as a stealthy web shell, enabling long-term access without traditional malware detection.

Flax Typhoon, linked to China, infiltrated an ArcGIS server for over a year, turning the software into a covert backdoor for espionage, exploiting a common security blind spot.

The group used the web shell to download and install SoftEther VPN Bridge, establishing an encrypted HTTPS connection for persistent, covert control over the network, creating a hidden VPN channel.

This VPN setup allowed the attackers to perform remote commands, file transfers, and maintain persistence while avoiding detection, embedding malicious components into system backups to ensure reinfection.