Security researchers have found that a group of hackers involving the Chinese government has been circumventing two-factor authentication [2FA] in a recent series of attacks.
Dutch cybersecurity firm Fox-IT disclosed last week that the attacks were caused by a group of cybersecurity companies tracking and naming them APT20.ReportsSaid. The group is believed to be operating under the direction of the Chinese government.
The main targets of this group were government agencies and managed service providers [MSPs]. Government agencies and MSPs worked in aviation, healthcare, finance, insurance and energy, as well as niche areas such as gambling and physical locks.
Provided by Fox-IT
Recent activities by APT20
A Fox-IT report uncovered an unknown part of this group's previous activities. APT20Since 2011He is engaged in hacking activities, but the form of activity changed between 2016 and 2017, and researchers were unable to track the group's activities during that period.
Fox-IT's report describes this group's activities over the past two years and how to do it.
According to researchers, hackers used a web server as the first entry point into the targeted system. An enterprise application platform commonly used in large corporate and government networks.JBoss, "He said.
APT20 used these vulnerabilities to access those servers, install a webshell, and spread it throughout the victim's internal systems.
According to Fox-IT, the group gained maximum access by dumping their passwords and searching for an administrator account when they broke inside. The main goal was to get VPN credentials. With it, you can access more secure areas of the target's infrastructure or use a VPN account as a more stable backdoor.
Fox-IT said that despite the seemingly large-scale hacking activity of the past two years, "the activity was continued without being detected in general."
Instead of downloading their own custom-made malware, researchers said they did so by using legitimate tools that were already installed on the hacked device. If it was malware, it could have been detected by security software in the system.
APT20 that passed through two-factor authentication
However, the most striking issue Fox-IT investigated was another. According to a Fox-IT analyst, hackers were found to have connected to a VPN account protected by two-factor authentication.
The tactics are unknown, but the Fox-IT research team has a hypothesis. Fox-IT argued that APT20 would have stolen the “ RSA SecurID software token '' from the hacked system, used it on his computer, generated a valid one-time password and circumvented two-factor authentication. Says.
Normally this is not possible. In order to use a software token, a specific physical device must be connected, and only with the device and the software token can a valid two-factor authentication password be generated. If you use the software token while the device is not connected, SecurID software will return an error.
Provided by Fox-IT
Fox-IT's research team describes the techniques that hackers may have used to circumvent this problem:
ソ フ ト ウ ェ ア The generated software token can be used only on a specific system, but the system-specific value used to generate the token can be easily obtained if you have access to the victim's system.
However, in practice, the attacker does not need the unique value of the affected system. This is because this value is only checked when importing the SecurID token seed, not needed to generate the actual two-factor authentication token used. In other words, once you patch the software and modify the part that checks whether the imported token seed was generated for the system, you no longer need to steal system-specific values.
This means that stealing an RSA SecurID software token and modifying a single instruction can generate a valid token and bypass two-factor authentication.
Provided by Fox-IT
Fox-IT states that the company was able to investigate APT20 attacks after being hacked and asked for assistance in investigation and response.
For details of the attack, seeOperation Wocao"Is described in the report.
This article is from overseas CBS InteractivearticleWas edited by Asahi Interactive for Japan.