Thursday, February 25, 09:14
Home security 2FA: Chinese hacking team bypasses two-factor authentication

2FA: Chinese hacking team bypasses two-factor authentication

2FASecurity investigators discovered one hacking team associated with government of China and it does attacks bypassing two-factor authentication (2FA).

According to a Dutch company report Fox-IT, the hacking team is known to cyberspace as a APT20 and works for the Beijing government.

Key objectives of attacks is government entities and managed service providers (MSPs), active in sectors such as aviation, healthcare, finance, insurance and energy.

Hacking incidents related to APT20

According to Fox-IT, the APT20 launched its activities in 2011, but researchers lost its footprint during 2016-2017, because hackers changed their way of working.

What has the APT20 been doing in the last two years?

According to the researchers, the hackers used them web servers as the initial entry point to systems of goals. In fact, they were focused on JBoss, an application platform for businesses often used in large corporate and government networks.

APT20 hackers exploited vulnerabilities which gave them access to the servers. Then they settled web shells and spread within the systems of the victims.

Afterward stole passwords and looking for administrator accounts to maximize their access. They were also looking VPN credentials to escalate access to more safe areas of the victim's network.

However, the hackers managed not to notice these two years.

They did this using legal tools that were already installed in hacked Appliances. Thus, they were not understood by the antivirus programs.

APT20 bypasses two-factor authentication (2FA)

The researchers found that APT20 hackers breached 2FA-protected VPN accounts.

How they did it is not known yet. However, researchers have made a case. They believe the APT20 stole one RSA SecurID software token from a hacked system and used it to create valid one-time codes and bypass the 2FA.

In order to use one of these software tokens, the user would have to connect a physical hardware to their computer. The device and the software token are able to generate a valid 2FA code. If the device does not exist, RSA SecureID software will cause an error.

How did the hackers get over this issue? Fox-IT researchers explain:

Software token is created for a specific system, but hackers have access in the victim's system, so things are simple.

All it takes for hackers to use two-factor authentication (2FA) codes is to steal an RSA SecurID Software Token.

Operation Wocao

Fox-IT researchers said they were able to find out the APT20 attacks because one of the victim companies requested an investigation into a hacking incident.

More details about these attacks can be found in a report by the name "Operation Wocao".

Hackers try to run various commands on Windows. When the commands fail, the APT20 hackers realize that they have been perceived and type in one last command, the wocao, which in Chinese slang means "to get!"


Please enter your comment!
Please enter your name here

Absent Mia
Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement


Huawei: Wearables are becoming available for other applications

While the dispute between Huawei and the USA continues unabated, the company seems to be doing quite well in the field of ...

How to create a Progress Bar in Microsoft PowerPoint

A progress bar is a graphic that, in PowerPoint, visually represents the percentage of presentation slides that have been completed. See ...

EU: AI makes autonomous vehicles "extremely vulnerable" to cyber attacks

The goal of autonomous vehicles is to be able to avoid human error and save lives, but a new report of ...

Security officials to Senate to invade Capitol: "It was a coordinated attack"

Security officials testified Tuesday that they believe the January 6 riot at the Capitol was a "coordinated attack" as they were pressured by senators ...

Universal Android Debloater: Get rid of unwanted applications Οι προεγκατεστημένες εφαρμογές, γνωστές και ως "bloatware", είναι συνηθισμένη πρακτική των κατασκευαστών συσκευών για να ωθούν...

One UI 3.1: Samsung DeX gets wireless support!

A few weeks ago, it was discovered that the Galaxy S1 series was equipped with wireless support for DeX on PC. As it turns out, you can ...

Google Password Checkup feature is coming to Android

Android users can now take advantage of the Password Checkup feature that Google first introduced in the browser ...

The World Wide Web may be coming to an end. Where does this come from?

In recent years, the World Wide Web has begun to look less "global". Developments in the field of technology and the Internet, ...

United Kingdom: Organizations related to critical infrastructure have been breached

A new study by Bridewell Consulting showed that the vast majority (86%) of organizations managing critical national infrastructure in the UK ...

Honda wants to put a drone in the tail of an electric motorcycle

Well, this is definitely one of the strangest news that has been released lately: Honda wants to put a mini ...