Chinese state hackers remained undetected in a target environment for more than a year by turning a component in the ArcGIS geo-mapping tool into a web shell.
The ArcGIS geographic information system (GIS) is developed by Esri (Environmental Systems Research Institute) and has support for server object extensions (SOE) that can extend the basic functionality.
The software is used by municipalities, utilities, and infrastructure operators to collect, analyze, visualize, and manage spatial and geographic data through maps.
Researchers at cybersecurity company ReliaQuest are confident that the threat actor is a Chinese APT group and have moderate confidence that it is Flax Typhoon.
In a report shared with BleepingComputer, they say that the hackers used valid administrator credentials to log into a public-facing ArcGIS server that was linked to a private, internal ArcGIS server.
The attacker used their access to upload a malicious Java SOE acting as a web shell that accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server, where they appeared as routine operations.
The exchange was protected by a hardcoded secret key, ensuring that only the attackers had access to this backdoor.
The malicious SOE
Source: ReliaQuest
From ArcGIS to SoftEther VPN
... continue reading