The activity was enhanced by scanning the internal network over various protocols, including Secure Shell (SSH), HTTPS, Server Message Block (SMB), and Remote Procedure Call (RPC), and by conducting multiple SMB scans on different internal subnets. Subsequently, to establish long-term access, a SoftEther VPN executable named “bridge.exe” was uploaded to the default Windows system32 directory, thereby reducing the possibility of detection. The malicious SOE also provided persistent access, and given that it was on ArcGIS Server for an extended period, it was also stored in the victim’s backups.
Who is at risk?
In the first documented case confirmed by ArcGIS where malicious SOE was used, ReliaQuest identified that the password for the ArcGIS Portal Administrator account was a leaked password of unknown origin, suggesting that the attacker had access to the administrative account and was able to reset the password.
βAny organization that uses ArcGIS in a networked environment is at risk if it is exposed externally or to other enterprise data systems,β said Devroop Dhar, co-founder and MD of Primus Partners. “The main risk is that attackers could use a compromised extension to gain access and exfiltrate sensitive data. Since ArcGIS is widely used in mapping, logistics and public sector planning, the data it contains may be sensitive, such as network maps, population records and infrastructure layouts.”
