A Chinese government-backed hacking group has found a new way to bypass two-factor authentication, according to a new report.
The report by Dutch cybersecurity firm Fox-IT attributes a range of cyber attacks on government entities and managed service providers to APT20, a hacking group linked to the Chinese government that has been on the radar for nearly 10 years.
The report tracks the attacks of the group over the last two years and details the method behind them.
According to the researchers, the group typically targets web servers as the initial point of entry into a network, with a particular focus on enterprise application platform JBoss.
The hackers use vulnerabilities to gain access to the victim’s servers, and then install web shells to spread laterally through the internal systems.
The hackers then look for administrator accounts to gain further access.
Little has been known about the movements of APT20 since 2017, with the group able to stay under the radar thanks to the use of legitimate tools already installed on the hacked devices, rather than their own custom-built malware, the Fox-IT report said.
Most alarmingly, the report found that the hacking group has been able to bypass two-factor authentication, a common security precaution requiring users to enter a code sent to a separate device in order to access an account.
While two-factor authentication has been bypassed using a complicated phishing method, Fox-IT said that APT20 has done so using a new method that doesn’t require a user to be duped by a fake email.
While the researchers couldn’t be sure of the exact method used, they did provide a theory on how APT20 may have gained access to a VPN that was protected with two-factor authentication.
This could have been done by the hackers stealing an RSA SecurID software token, and then using this to generate the two-factor authentication codes.
This method isn’t supposed to be possible though, with the protection requiring access to a different physical device.
“As it turns out, the actor does not actually need to go through the trouble of obtaining the victim’s system specific value, because this specific value is only checked when importing the SecurID Token Seed and has no relation to the seed used to generate actual 2-factor tokens,” Fox-IT said in the report.
“This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system and does not need to bother with stealing the system specific value at all.
“In short, all the actor has to do to make use of the 2-factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.”
Two-factor authentication is seen as a pillar of online security, providing a way to double-check the identity of a user before allowing access. It is typically used across online banking, email, and social media.
The use of two-factor authentication is highly recommended by the Australian government and is included in the “essential eight” strategies by the Australian Cyber Security Centre to prevent malware delivery.
The Fox-IT report found that APT20 is likely operating under the instruction of the Chinese government.
“Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes,” it said.
It identified victims in 10 countries across a range of sectors, including aviation, healthcare, finance, insurance and energy.