Chinese state hackers exploited a component in ArcGIS GIS software to remain undetected for over a year, using a web shell to access internal networks. They extended their malicious activities by deploying SoftEther VPN to maintain persistence and conduct lateral movement within the compromised environments. #FlaxTyphoon #ArcGIS #SoftEtherVPN #RaptorTrain
Keypoints
- The hackers used a malicious Java SOE to upload a web shell on an ArcGIS server.
- They employed valid administrator credentials to gain access to internal systems.
- The threat actors installed SoftEther VPN to establish a covert, persistent connection.
- The VPN allowed lateral movement, credential dumping, and data exfiltration without detection.
- ReliaQuest linked the campaign to the Chinese APT group Flax Typhoon, which is known for espionage efforts and evasion tactics.