FacebookTwitterLinkedIn

Chinese APT Group Seen Bypassing 2FA

Karolis Liucveikis Written by on

In a recent report security researchers have found evidence showing that a Chinese state-sponsored hacking group, APT20, has been able to bypass two-factor authentication (2FA) in a recent campaign. Advanced persistent threat (APT) groups are typically defined as groups, more often than not state-sponsored, who gain access to a specific network and are able to operate for long periods of time before discovery. APT20, or Wocao, is such a group and appeared until very recently to have gone on a hiatus with not much known of their operations for periods spanning 2016 and 2017.

In the report published by Fox-IT, it was shown that the group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks. As mentioned above, security researchers seemed to lose track of APT20 activity during the period from 2016 to 2017. I’m sure some hoped they were gone for good but given the current research, the group changed its tactics fairly considerably. Based on this new information it would seem the group has been active over the last two years.

New tactics employed by the group seem to initially target web servers as the first point of entry. The group further appears to focus on corporate networks running JBoss, which is an enterprise platform often found on corporate and government networks. To gain access to the webservers the group used a variety of vulnerabilities, then web shells were created and finally the group would look to spread laterally across the network. Once the network was compromised the group dumped passwords and looked for administrator accounts, to maximize their access. A primary concern was obtaining VPN credentials, so hackers could escalate access to more secure areas of a victim's infrastructure, or use the VPN accounts as more stable backdoors. This was all done while managing to fly under the radar for a long period of time.

chinese apt group bypassing 2fa

The group’s stealth can be attributed to the use of legitimate tools that would not flag suspicion from security software installed on the network. If they had installed custom made malware their chances of been caught would have been significantly higher. This is a tactic employed by many other APT groups across the globe. What did pique the interest of the researchers is that it appeared that the group managed to bypass 2FA protections attached to victims' VPN accounts. How this exactly done is not yet known but researchers did find related evidence to how the accounts could have been compromised.

Bypassing 2FA

From the researchers' analysis, it would appear that APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will. Software tokens are a form of two-factor authentication that are stored on devices such as a desktop or laptop PC which are sometimes used authorize access to the PC or services. These codes can be duplicated and in the past have been exposed by hackers in previous attacks. Hardware tokens are deemed more secure as the tokens are stored on the piece of hardware and cannot be duplicated. However, normally software tokens in many cases need to be connected to a physical piece of hardware. The device and the software token would then generate a valid 2FA code. If the device was missing, the RSA SecureID software would generate an error.

The researchers explained how the group may have been able to bypass 2FA, stating that:

“The software token is generated for a specific system, but of course this system-specific value could easily be retrieved by the actor when having access to the system of the victim…As it turns out, the actor does not actually need to go through the trouble of obtaining the victim's system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all…In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.”

The danger posed by APT groups, in general, is clearly on display with APT20 and even when tactic are changed they still seem to be able to rewrite the rules regarding breaking into networks unannounced. In the past APT20 rose to the public’s attention following a series of attacks that seemingly began in 2011. In that instance, the group targeted companies in the chemical sector. These attacks were further characterized by the use of a trojan named PoisonIvy. These attacks were deemed to be motivated by gaining competitive edges over the competition with regards to the chemical sector. Given the list of numerous economic sectors targeted by APT20, it is safe to assume this may yet still be the case. Symantec concluded in 2011 that these attacks primarily focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs, formulas, and manufacturing processes. While the tactics have changed it would seem the overall goal has not.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog