Who is at risk?: In the first documented case confirmed by ArcGIS, where the malicious SOE was used, ReliaQuest identified that the password for the ArcGIS portal administrator account was a leet password of unknown origin, suggesting that the attacker had access to the administrative account and was able to reset the password.”Any organization that uses ArcGIS in a networked environment, if it is exposed externally or to other enterprise data systems, is at risk,” said Devroop Dhar, co-founder and MD at Primus Partners. “The main risk is that attackers can use a compromised extension to maintain access and take out sensitive data. As ArcGIS is widely used in mapping, logistics, and public-sector planning, the data it has can be sensitive, like network maps, population records, and infrastructure layouts.”As a result, for most enterprises, the concern is not just immediate disruption but also silent observation. If an attacker sits inside a system that tracks infrastructure or logistics, that is a serious intelligence advantage.”To verify if compromised, organizations should start by taking a complete inventory of all ArcGIS Server versions in their environment and enumerating every Server Object Extension (SOE) and Server Object Interceptor (SOI) in use,” said Amit Jaju, senior managing director India at Ankura Consulting. “Then they should compare these against known source and vendor hash values to detect unauthorized changes. Conduct a detailed hunt for any anomalous SOE JAR files or class structures, hardcoded tokens or encryption keys, suspicious admin activity logs, and web shell indicators identified by security researchers.”Jaju added that CISOs should not overlook backups or AMIs, and verify that they aren’t seeded with malicious SOEs and confirm the integrity of your golden images.For remediation, immediately isolate affected ArcGIS servers, rotate all related service accounts and secrets, and apply strict least-privilege controls to ArcGIS service identities. “Rebuild compromised systems only from known-good media, redeploying extensions that are both signed and independently reviewed. Where possible, enforce code-signing validation for all SOEs to prevent tampering. Finally, strengthen your monitoring posture, add detections specifically for SOE abuse and abnormal ArcGIS administrative endpoint activity, and diversify your threat intelligence sources by subscribing to multiple feeds rather than relying solely on KEV,” added Jaju.
Trusted software is the new attack surface: Security analysts say that the Flax Typhoon case highlights a worrying evolution in the weaponization of trusted components rather than the deployment of conventional malware.In 2023, the same group targeted dozens of organizations in Taiwan with the likely intention of performing espionage, reported Microsoft. In 2020, SolarWinds was targeted by hackers. They deployed malicious code into SolarWinds Orion IT monitoring and management software that was used by thousands of enterprises and government agencies worldwide.In March 2023, 3CX suffered a serious software supply-chain compromise that resulted in both its Windows and macOS applications being poisoned with malicious code.According to experts, threat actors have realized that compromising a trusted vendor module gives them free access. As a result, vendor software should not be treated as safe by default. “Trusted platforms also need continuous verification. Regular code-integrity checks, tighter monitoring of vendor updates, and periodic pen testing of integrated systems are essential,” added Dhar.CISOs should also push vendors to provide transparency and clarity, like SBOMs (Software Bills of Materials), details of their own security testing and disclosure protocols, Dhar said. “It is also important to separate privileges; just because a module comes from a trusted vendor does not mean it needs access to everything in the network.”Using AI efficiently to real-time monitor any anomaly in behavioral analytics, comparing with a longish history rather than a slice in time is critical added Shah.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4072876/flax-typhoon-exploited-arcgis-to-gain-long-term-access.html
