Chinese hacker group bypass 2FA

[spartaman64]

Quote

Security researchers say they found evidence that a Chinese government-linked hacking group has been bypassing two-factor authentication (2FA) in a recent wave of attacks.

The attacks have been attributed to a group the cyber-security industry is tracking as APT20, believed to operate on the behest of the Beijing government, Dutch cyber-security firm Fox-IT said in a report published last week.

Quote

The group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks.

Quote

The Fox-IT report comes to fill in a gap in the group's history. APT20's hacking goes back to 2011, but researchers lost track of the group's operations in 2016-2017, when they changed their mode of operation.

Fox-IT's report documents what the group has been doing over the past two years and how they've been doing it.

According to researchers, the hackers used web servers as the initial point of entry into a target's systems, with a particular focus on JBoss, an enterprise application platform often found in large corporate and government networks.

APT20 used vulnerabilities to gain access to these servers, install web shells, and then spread laterally through a victim's internal systems.

While on the inside, Fox-IT said the group dumped passwords and looked for administrator accounts, in order to maximize their access. A primary concern was obtaining VPN credentials, so hackers could escalate access to more secure areas of a victim's infrastructure, or use the VPN accounts as more stable backdoors.

Fox-IT said that despite what appears to be a very prodigious hacking activity over the past two years, "overall the actor has been able to stay under the radar."

They did so, researchers explain, by using legitimate tools that were already installed on hacked devices, rather than downloading their own custom-built malware, which could have been detected by local security software.

Quote

But this wasn't the thing that stood out the most in all the attacks the Dutch security firm investigated. Fox-IT analysts said they found evidence the hackers connected to VPN accounts protected by 2FA.

How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will.

Normally, this wouldn't be possible. To use one of these software tokens, the user would need to connect a physical (hardware) device to their computer. The device and the software token would then generate a valid 2FA code. If the device was missing, the RSA SecureID software would generate an error.

Quote

The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim.

As it turns out, the actor does not actually need to go through the trouble of obtaining the victim's system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all.

In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.

Quote

The Dutch company said it named the report "Wocao" after a response the Chinese hackers had after they've been detected and booted out of a victim's network.

In the screenshot below, you can view APT20 trying to connect to a (now-removed) web shell they installed on a victim's network.

The hackers try running several Windows commands. When the commands fail to execute, APT20 hackers understand they've been detected and thrown out of the network, and they type one last command in frustration -- wocao, which is the Chinese slang for "shit" or "damn."

 

source: https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/

 

Ideally for 2fa if the person doesn't have the second factor authenticatior like a phone you won't let them in but unfortunately people lose their phones or their phones die or they get a new phone without thinking and so they need a way around the 2fa. A popular way to do this is using one time use backup codes to let you bypass 2fa and as shown here that is a vulnerability. I guess the lesson here is 2fa does make things more secure but don't rely on it 100%.

[Flying Sausages]

1 hour ago, Caroline said:

And they still can't crack RDR2 and Detroit: Become human

 

 

what a fucking joke

It also bundle with free virus

[Arika]

Well shit

[RejZoR]

18 minutes ago, OlympicAssEater said:

It also bundle with free virus

What a bargain. Chinese can't offer any of that.

[Flying Sausages]

Just now, RejZoR said:

What a bargain. Chinese can't offer any of that.

"Chinese backdoor"

[RejZoR]

Just now, OlympicAssEater said:

"Chinese backdoor"

Backdoors are never a cool as viruses.

[Flying Sausages]

Just now, RejZoR said:

Backdoors are never a cool as viruses.

Neither are cool if you value your confidential and data. 

[RejZoR]

7 minutes ago, OlympicAssEater said:

Neither are cool if you value your confidential and data. 

Given your name, I reckon you have more experience with backdoors first and viruses later

[Deli]

I reckon 2FA is very safe. How wrong I was.

[mr moose]

1 minute ago, Deli said:

I reckon 2FA is very safe. How wrong I was.

I've always though It's safe enough to protect you from majority of the script kiddie type criminals.  It also adds a nice layer of protection for those who use the same password on everything even banking.  But to me there is no such thing as an absolute, especially not in the digital era where everything is an abstraction. 

 

 

This to me highlights the just how transparent the world is becoming,  build a better mouse trap and they will build a better mouse, then very soon we will all know about it because you can't hide shit anymore. 

 

 

 

 

[Flying Sausages]

2 hours ago, RejZoR said:

Given your name, I reckon you have more experience with backdoors first and viruses later

I prefer frontdoors.

 

I did got my computer infected with Iobit Advanced Systemcare app in the past. I didn't know a lot about this software so I downloaded and ran it. Next thing is my computer crashed every single minute. Explorer restarted every single 5 minutes. 

[justpoet]

Any security that can be reset can be bypassed.  Any phone based 2FA is subject to abuse/bypass via SIM hacking or swapping.

 

These are not good 2FA methods, but they offer perceived security without too much loss of convenience, so folks have been all over it.

[williamcll]

We 3FA now bois.

[Soppro]

State-backed Chinese hacking groups pilfering Western technologies is nothing new. Considering they have tens of millions of dollars at their disposal, it's not surprising they were able to develop custom tools. Crowdstrike also published a report a month ago in which they detailed workings of the Chinese Ministry of State Security in the aerospace sector.

[suicidalfranco]

time for 4 factor autentication

first: the password to access the service

second: a phone number where to send the sms code

third: an authentication app that generates another code

fourth: an email adress where a new code will be sent to

 

and two round it all up everything is locked behind a blockchain that is dependent on bitcoin's own blockchain

[justpoet]

The US tends not to tell everybody what they're doing in the realm of cyber warfare.  They're often good enough to not get caught/attributed until way after the fact by some researchers, and usually only if it was a major enough operation (such as stuxnet).

 

Not saying they're definitively the best or anything, but like this Chinese group, they're good enough that you won't hear about it until somebody later on eventually figures out part of what's going on much further down the road.

[Spotty]

Thread cleaned

This isn't the place to be debating politics. Stay on topic.