Close Menu
Cyber Updates

Flax Typhoon: The Geo-Mapping Backdoor Strategy

Staff WriterBy Updated:No Comments5 Mins Read7 Views

Essential Insights

  1. Long-term Backdoor Access: A Chinese APT group, Flax Typhoon, exploited a geospatial mapping application (ArcGIS) to gain backdoor access to an organization for over a year.

  2. Clever Attack Chain: The attackers manipulated ArcGIS’s Java server component to create a Web shell, showcasing their sophistication and ensuring persistent access even after system recoveries.

  3. Universal Threat Warning: Reliaquest emphasized that the tactics used by Flax Typhoon could apply to any public application, urging organizations to reassess their security practices for such assets.

  4. Mitigation Strategies: Recommendations include strengthening credential hygiene, implementing multifactor authentication, auditing public-facing applications, and utilizing behavioral analytics for better threat detection.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘China’s Flax Typhoon Turns Geo-Mapping into Backdoor’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

Researchers discovered a “wakeup call” type of attack by a Chinese advanced persistent threat (APT) group that established backdoor access to an organization for more than a year through a geospatial mapping application.

In a blog post from cybersecurity vendor Reliaquest, researchers detailed how a notorious threat group tracked as Flax Typhoon constructed “an unusually clever attack chain” that manipulated a component of ArcGIS, a widely known geo-mapping platform from software maker Esri. The researchers found Flax Typhoon actors compromised an organization’s public-facing ArcGIS server and used the access to turn a trusted application into a backdoor.

“This attack is a wakeup call: Any entry point with backend access must be treated as a top-tier priority, no matter how routine or trusted,” Reliaquest analysts Alexa Feminella and James Xiang wrote in the blog post.

Turning ArcGIS into a Web Shell

Reliaquest investigated a potential compromise of an ArcGIS customer, and after ruling out that a zero-day vulnerability or misconfiguration were involved, researchers uncovered a unique attack that demonstrated Flax Typhoon’s sophistication and creativity.

The researchers found the threat actors established year-long access to the organization by modifying ArcGIS’ Java server object extension (SOE), which allows users to create service operations for maps and images, and turning the component into a Web shell. Flex Typhoon accomplished this by compromising a portal administrator account for ArcGIS, the researchers explained.

Related:GitHub Copilot ‘CamoLeak’ AI Attack Exfiltrates Data

“The attackers found a public-facing ArcGIS server that was connected to a private, internal ArcGIS server for backend computations (a common default configuration),” Feminella and Xiang wrote.

According to ArcGIS documentation, the public portal serves as a proxy, forwarding commands to the internal server through a Web adapter. The attackers sent disguised commands to the portal server, which created a hidden system directory in the server that essentially became Flax Typhoon’s private workspace, the researchers said, complete with a hardcoded key.

Additionally, Flax Typhoon’s attack chain ensured the malicious SOE would remain in place even after a full system recovery. “The group’s persistence method was even more insidious. By ensuring the compromised component was included in system backups, they turned the organization’s own recovery plan into a guaranteed method of reinfection,” Feminella and Xiang wrote.

Mitigating Flax Typhoon Threats

Reliaquest said it worked with the customer organization and Esri to fully evict Flax Typhoon actors from the environment, which included rebuilding the entire server stack and deploying custom detections for the threat activity.

Related:Security Concerns Shadow Vibe Coding Adoption

ArcGIS attack follows other notable threat activity targeting geo-mapping software; last month, the Cybersecurity and Infrastructure Security Agency (CISA) disclosed that a large, unnamed federal civilian executive branch agency was breached in 2024 through a vulnerability in GeoServer, an open source geospatial data server.

An Esri spokesperson tells Dark Reading that the company has not seen any evidence or received reports indicating that other organizations have been impacted by this type of attack.

Reliaquest also said it has seen no evidence of other organizations that have been breached by malicious ArcGIS SOE. “However, the report’s main warning is that while the component was specific to ArcGIS, the tactic is not,” a company spokesperson said. “While the method of persistence is unique, this can happen to any publicly facing application where security best practices are assumed but not enforced. Therefore, it is highly likely that many organizations are vulnerable to this same attack chain, using the creative modification of any legitimate component.”

Related:Clop Ransomware Hits Oracle Customers Via Zero-Day Flaw

Reliaquest urged organizations to treat all public-facing applications as high-risk assets. To that end, the researchers recommended security teams audit and harden such applications, no matter how routine. Feminella and Xiang also highlighted the fact that Flax Typhoon didn’t use any malware or known malicious files, which emphasizes the need for behavioral analytics to complement signature-based detection.

The researchers also stressed the importance of strong credential hygiene, noting that “a weak administrator password” gave the attackers a foothold in the organization’s network. In addition to enforcing strong, unique passwords, Reliaquest recommended implementing multifactor authentication and practicing the principal of least privilege.

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Stay Ahead with the Latest Tech Trends

Explore the future of technology with our detailed insights on Artificial Intelligence.

Explore past and present digital transformations on the Internet Archive.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.