Chinese hackers bypassing two-factor authentication, but this is not accurate. Below are the assumptions of the Dutch company Fox-IT, which specializes in cybersecurity consulting services. It is assumed, for which there is no direct evidence, that a group of hackers called APT20 is working for Chinese government structures.
For the first time, hacking activity attributed to the APT20 group was discovered in 2011. In 2016-2017, the group disappeared from the field of view of specialists, and only recently Fox-IT discovered traces of APT20 interference in the network of one of its clients, who asked to investigate cybersecurity breaches.
According to Fox-IT, over the past two years, the APT20 group has been hacking and accessing data from government agencies, large companies and service providers in the US, France, Germany, Italy, Mexico, Portugal, Spain, the UK and Brazil. Also, APT20 hackers were active in areas such as aviation, healthcare, finance, insurance, energy, and even in areas such as gambling and electronic locks.
Typically, APT20 hackers used vulnerabilities in web servers and, in particular, in the Jboss enterprise application platform to enter victims' systems. After accessing and installing the shells, the hackers penetrated the victims' networks into all possible systems. The accounts found allowed attackers to steal data using standard tools, without installing malware. But the main trouble is that the APT20 group allegedly was able to bypass two-factor authorization using tokens.
Researchers claim to have found traces of hackers connecting to VPN accounts protected by two-factor authentication. How this happened, Fox-IT specialists can only speculate. The most likely of them is that hackers were able to steal the RSA SecurID software token from the hacked system. With the help of the stolen program, hackers could later generate one-time codes to bypass two-factor protection.
Under normal circumstances, this is not possible. The software token does not work without a hardware token connected to the local system. Without it, the RSA SecurID program gives an error. The soft token is created for a specific system and, having access to the victim's hardware, you can get a specific number to run the soft token.
Fox-IT argues that in order to launch a (stolen) software token, it is not at all necessary to have access to the victimβs computer and hardware token. The entire set of initial checks passes only when the initial generation vector is imported, i.e., a random 128-bit number corresponding to a specific token (). This number is irrelevant to the seed number, which is then related to the generation of the actual software token. If the SecurID Token Seed check can somehow be skipped (patched), then nothing further will prevent the generation of codes for two-factor authorization. Fox-IT says the check can be bypassed with a single instruction change. After that, the victim's system will be completely and legally open to the attacker without the use of special utilities and shells.
Source: 3dnews.ru