Activity was ramped up by scanning the internal network over various protocols, including Secure Shell (SSH), HTTPS, Server Message Block (SMB), and Remote Procedure Call (RPC), and conducting several SMB scans across different internal subnets. Next, to establish long-term access, the renamed SoftEther VPN executable “bridge.exe” was uploaded into the default Windows System32 directory, which reduced the chances of detection. The malicious SOE also provided ongoing access, and given that it was on the ArcGIS server for an extended period, it was stored in the victim’s backups as well.
Who is at risk?
In the first documented case confirmed by ArcGIS, where the malicious SOE was used, ReliaQuest identified that the password for the ArcGIS portal administrator account was a leet password of unknown origin, suggesting that the attacker had access to the administrative account and was able to reset the password.
“Any organization that uses ArcGIS in a networked environment, if it is exposed externally or to other enterprise data systems, is at risk,” said Devroop Dhar, co-founder and MD at Primus Partners. “The main risk is that attackers can use a compromised extension to maintain access and take out sensitive data. As ArcGIS is widely used in mapping, logistics, and public-sector planning, the data it has can be sensitive, like network maps, population records, and infrastructure layouts.”
