Chinese hackers
For the first time, hacking activity attributed to the APT20 group was discovered in 2011. In 2016-2017, the group disappeared from the field of view of specialists, and only recently Fox-IT discovered traces of APT20 interference in the network of one of its clients, who asked to investigate cybersecurity breaches.
According to Fox-IT, over the past two years, the APT20 group has been hacking and accessing data from government agencies, large companies and service providers in the US, France, Germany, Italy, Mexico, Portugal, Spain, the UK and Brazil. Also, APT20 hackers were active in areas such as aviation, healthcare, finance, insurance, energy, and even in areas such as gambling and electronic locks.
Typically, APT20 hackers used vulnerabilities in web servers and, in particular, in the Jboss enterprise application platform to enter victims' systems. After accessing and installing the shells, the hackers penetrated the victims' networks into all possible systems. The accounts found allowed attackers to steal data using standard tools, without installing malware. But the main trouble is that the APT20 group allegedly was able to bypass two-factor authorization using tokens.
Researchers claim to have found traces of hackers connecting to VPN accounts protected by two-factor authentication. How this happened, Fox-IT specialists can only speculate. The most likely of them is that hackers were able to steal the RSA SecurID software token from the hacked system. With the help of the stolen program, hackers could later generate one-time codes to bypass two-factor protection.
Under normal circumstances, this is not possible. The software token does not work without a hardware token connected to the local system. Without it, the RSA SecurID program gives an error. The soft token is created for a specific system and, having access to the victim's hardware, you can get a specific number to run the soft token.
Fox-IT argues that in order to launch a (stolen) software token, it is not at all necessary to have access to the victimβs computer and hardware token. The entire set of initial checks passes only when the initial generation vector is imported, i.e., a random 128-bit number corresponding to a specific token (
Source: 3dnews.ru