A Chinese hacking group that bypasses 2FA two-factor authentication |
Security researchers said they had found evidence in a recent pilot attack by Wocao that the Chinese government's hacking groups had exceeded two-factor authentication. Dutch company Cyber Security Fox IT says the attack was attributed to the APT20 group, which is said to be operating at the request of the Beijing city government.
The main objectives of the group are government agencies and managed service providers (MSPs), which include government agencies and civil society organizations in areas such as aviation, health care, finance, insurance, and energy.
The Fox IT report fills a void in the company's history dating back to 2011. However, researchers lost their businesses when they changed their way of working from 2016 to 2017. The new report documents APT20's activities and operation in the past two years.
Researchers have used web servers as a springboard to hack into targeted systems, the researchers said. They appreciated JBoss, a project implementation platform that researchers say is mostly found in government networks and major corporations, and APT20 uses vulnerabilities to access these servers and install malware. And use of victims in the internal system.
Fox IT said: The organization's primary focus is to access VPN data so hackers can add permissions to access safe areas in the victim's infrastructure or use the VPN account as a more stable context during the activity to act as an important hacking activity. In the past two years, the team has managed to stay out of sight.
He said that APT20 used legitimate tools already installed on the affected device instead of downloading their malware (which could be detected by the original security software), but not all attacks were studied by Fox IT. Business Analyst: They found evidence that the hacker is connected to a VPN account protected by 2FA 2-factor authentication.
It is not known how they did this, but according to Dutch security company theory, APT20 stole the RSA SecurID code from the infected system and used it on its computer to generate a valid one-way code and bypass 2FA authentication,
Normally, this is not possible because the user must use one of the software tokens to connect the physical device to the computer for the device and the program tokens to generate a valid two-factor authentication token and if the RSA device does not have an error generated SecureID.