A Chinese hacking group believed to operate on behalf of the Beijing government has learned how to bypass two-factor authentication (2FA) in attacks on government and industry targets, ZDNet reported on Monday.
The group, known as APT20, has reportedly sought to compromise VPN credentials that would grant them heightened levels of access across their victims’ networks, according to ZDNet, citing a new report from Dutch cyber-security firm Fox-IT.
While bypassing 2FA is not unheard of, the sophistication required on the perpetrator’s part means such attacks are relatively rare. It’s not entirely clear how APT20 pulled it off. However, ZDNet reported on one theory:
They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will.
Normally, this wouldn’t be possible. To use one of these software tokens, the user would need to connect a physical (hardware) device to their computer. The device and the software token would then generate a valid 2FA code. If the device was missing, the RSA SecureID software would generate an error.
Fox-IT said APT20 likely developed the bypass technique itself. The group has largely managed to stay off the radar by relying on “legitimate” channels, such as VPN access, to carry out its attacks.
[referenced url=” thumb=” title=” excerpt=”]
“We have identified victims of this actor in 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech,” its report states. Targets reportedly reside in nearly a dozen countries, including Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States.
Once initial access is acquired, the group moves laterally by deploying custom backdoors on multiple servers, the researchers said. From there, it begins the process of collecting the sensitive data it’s after, if not additional credentials to help elevate its access. When the group is done, it typically deletes its tools and the compressed files it creates for extraction to hinder forensic investigations.
You can read the full Fox-IT report here.