Tuesday, October 27, 14:55
Home security 2FA: Chinese hacking team bypasses two-factor authentication

2FA: Chinese hacking team bypasses two-factor authentication

Security investigators discovered one hacking team associated with government of China and it does attacks bypassing two-factor authentication (2FA).

According to a Dutch company report Fox-IT, the hacking team is known to cyberspace as a APT20 and works for the Beijing government.

Key objectives of attacks is government entities and managed service providers (MSPs), active in sectors such as aviation, healthcare, finance, insurance and energy.

Hacking incidents related to APT20

According to Fox-IT, the APT20 launched its activities in 2011, but researchers lost its footprint during 2016-2017, because hackers changed their way of working.

What has the APT20 been doing in the last two years?

According to the researchers, the hackers used them web servers as the initial entry point to systems of goals. In fact, they were focused on JBoss, an application platform for businesses often used in large corporate and government networks.

APT20 hackers exploited vulnerabilities which gave them access to the servers. Then they settled web shells and spread within the systems of the victims.

Afterward stole passwords and looking for administrator accounts to maximize their access. They were also looking VPN credentials to escalate access to more safe areas of the victim's network.

However, the hackers managed not to notice these two years.

They did this using legal tools that were already installed in hacked Appliances. Thus, they were not understood by the antivirus programs.

APT20 bypasses two-factor authentication (2FA)

The researchers found that APT20 hackers breached 2FA-protected VPN accounts.

How they did it is not known yet. However, researchers have made a case. They believe the APT20 stole one RSA SecurID software token from a hacked system and used it to create valid one-time codes and bypass the 2FA.

In order to use one of these software tokens, the user would have to connect a physical hardware to their computer. The device and the software token are able to generate a valid 2FA code. If the device does not exist, RSA SecureID software will cause an error.

How did the hackers get over this issue? Fox-IT researchers explain:

Software token is created for a specific system, but hackers have access in the victim's system, so things are simple.

All it takes for hackers to use two-factor authentication (2FA) codes is to steal an RSA SecurID Software Token.

Operation Wocao

Fox-IT researchers said they were able to find out the APT20 attacks because one of the victim companies requested an investigation into a hacking incident.

More details about these attacks can be found in a report by the name "Operation Wocao".

Hackers try to run various commands on Windows. When the commands fail, the APT20 hackers realize that they have been perceived and type in one last command, the wocao, which in Chinese slang means "to get!"


Please enter your comment!
Please enter your name here

Absent Miahttps://www.secnews.gr
Being your self, in a world that constantly tries to change you, is your greatest achievement


NASA telescope discovers drinking water on the moon

Eleven years ago, a spacecraft changed our view of the moon forever. The data collected by ...

Microsoft: Enhances password spray attack detection capabilities

Microsoft has significantly improved the ability to detect password spray attacks in the Azure Active Directory (Azure AD) and has reached the point ...

How to prevent companies from finding our phone number

In the age of advertising, the more user information is known the more convenient it is for companies. And in particular, the ...

Violation in a psychotherapy clinic led to blackmail of patients

Two years ago, a cyber attack took place in a Finnish psychotherapy clinic, which resulted in data theft and ransom demand. Now,...

Australia: Enhances cybersecurity and privacy!

The Government of New South Wales in Australia has set up a task force to strengthen cybersecurity and protection ...

More than 100 irrigation systems were left exposed on the internet

More than 100 smart irrigation systems were left exposed on the internet without a password last month, allowing anyone to access ...

Violation in Nitro Software most likely affects Google, Apple, Microsoft

Nitro PDF (Nitro Software) service has suffered a data breach, which is said to affect many well-known companies, such as Google, ...

Hacker steals $ 24 million from cryptocurrency service Harvest Finance

A hacker has stolen "cryptocurrency assets" worth about 24 million dollars from the decentralized financing service (DeFi) Harvest Finance, a web portal ...

Ransomware attack "hit" election database in Georgia, USA!

A ransomware attack hit Georgia, USA earlier this month, affecting a database used to verify ...

Data breach at the Sheriff's office in Hennepin

The Sheriff's Office in Hennepin County suffered data breaches, which resulted in the leak of information to about 1400 people.