A recent report from ReliaQuest details how the China-backed APT group “Flax Typhoon” exploited legitimate enterprise software, specifically ArcGIS, to maintain covert long-term access. This sophisticated attack involved repurposing trusted software components into backdoors, evading detection and complicating defense efforts. #FlaxTyphoon #ArcGIS #SupplyChainAttack
Keypoints
- Flax Typhoon used a legitimate ArcGIS SOE as a covert web shell for persistent access.
- The attackers embedded the backdoor in system backups, ensuring resilience after recovery attempts.
- Unauthorized access was gained through a compromised ArcGIS portal administrator account.
- The group created a covert VPN bridge to extend their access within the network undetected.
- Flax Typhoon’s operations focus on credential theft, lateral movement, and process long-term infiltration.