Breach Brief: Chinese Hackers Target ArcGIS Vulnerability

This week, the Information Security Media Group covers a range of cybersecurity incidents: Chinese hackers exploiting ArcGIS, vulnerabilities in internet-exposed call center software, and the latest Patch Tuesday updates. Notable events include a Massachusetts student sentenced for a $3 million extortion hack, New York’s fines against insurance firms for data breaches, and over 100 VS Code extensions revealing sensitive secrets.

See Also: Why Cyberattackers Love ‘Living Off the Land’

Suspected state-sponsored Chinese hackers have infiltrated an ArcGIS mapping software server, evading detection for over a year. They leveraged a Java server object extension to establish a web shell, highlighting a grave concern for cybersecurity in the realm of software tools.

Moderate confidence connects the breach to Flax Typhoon, a Chinese nation-state actor. Researchers note the attackers utilized valid administrator credentials to access a public-facing ArcGIS server linked to internal networks. They deployed a malicious Java SOE, protected by a hardcoded key, allowing the backdoor to progress unnoticed amidst regular server operations.

To bolster their persistence, hackers installed SoftEther VPN Bridge as an automatic Windows service. This VPN established an outbound funnel to their infrastructure, facilitating lateral movement and reconnaissance using seemingly benign traffic over port 443. Active attempts on IT staff workstations revealed efforts to abuse the Active Directory Security Account Manager database to extract credentials, closely aligning with known tactics of the Flax Typhoon group.

Vulnerabilities in ICTBroadcast call center software, identified as CVE-2025-2611, are currently being exploited by attackers. Cybersecurity firm VulnCheck reports that this vulnerability permits remote compromise through the dangerous injection of shell commands into session cookie data.

Rapid7 further highlighted that the affected versions of the software enable unauthenticated remote code execution, which could be particularly harmful considering that the software was not intended to be internet-facing. In-the-wild attacks begin with an attempt to establish persistent access through reverse shell connections.

This vulnerability was disclosed earlier this year by security researcher Valentin Lobstein. Following the discovery, exploit code was published by Metasploit, indicating the severity of the situation, as the vendor remains unresponsive regarding a patch.

Microsoft has released a substantial update addressing 172 vulnerabilities during its October patch cycle, marking the conclusion of free security updates for Windows 10. Among the addressed flaws are six zero-days, three of which were actively exploited.

Critical vulnerabilities involve remote code execution and elevation of privilege, with Microsoft outlining various flaws related to drivers and secure boot bypasses. Enterprises can extend support through Extended Security Updates for an additional three years, highlighting the importance of staying abreast of security measures as older systems become less secure.

A Massachusetts college student has been sentenced to four years in prison for orchestrating a major extortion operation against two companies, including PowerSchool. The individual leveraged security weaknesses to access sensitive networks, subsequently demanding a ransom of approximately $3 million in Bitcoin.

Extortion activities led to successful demands for $200,000 from telecommunications firms, with ongoing threats to release sensitive information from educational institutions. Although PowerSchool had confirmed payment of a ransom to deter data leaks, the attacker’s activities persisted across multiple organizations.

New York Attorney General has imposed a total of $14.2 million in fines on eight insurance companies following significant data breaches that exposed the personal information of over 825,000 individuals. Attackers exploited weaknesses in quoting tools, leading to the compromise of sensitive data used in fraudulent claims.

Investigators found insufficient cybersecurity measures permitted easy access to personal data, emphasizing the necessity for multi-factor authentication and monitoring systems to detect anomalies in data access.

A recent discovery by cloud security firm Wiz has revealed that over 100 Visual Studio Code extensions inadvertently exposed personal access tokens, thereby creating vulnerabilities within the software supply chain. This exposure could allow malicious actors to distribute harmful updates to an extensive user base.

The analysis identified hundreds of secrets across various extensions from notable publishers, underscoring the importance of diligent security practices in software development and maintenance.

Additional Insights from This Week

Reporting by Information Security Media Group’s Gregory Sirico and Mathew Schwartz contributed to this summary.