In a recent report security researchers have found evidence showing that a Chinese state-sponsored hacking group, APT20, has been able to bypass two-factor authentication (2FA) in a recent campaign. Advanced persistent threat (APT) groups are typically defined as groups, more often than not state-sponsored, who gain access to a specific network and are able to operate for long periods of time before discovery. APT20, or Wocao, is such a group and appeared until very recently to have gone on a hiatus with not much known of their operations for periods spanning 2016 and 2017.
In the report published by Fox-IT, it was shown that the group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks. As mentioned above, security researchers seemed to lose track of APT20 activity during the period from 2016 to 2017. I’m sure some hoped they were gone for good but given the current research, the group changed its tactics fairly considerably. Based on this new information it would seem the group has been active over the last two years.
New tactics employed by the group seem to initially target web servers as the first point of entry. The group further appears to focus on corporate networks running JBoss, which is an enterprise platform often found on corporate and government networks. To gain access to the webservers the group used a variety of vulnerabilities, then web shells were created and finally the group would look to spread laterally across the network. Once the network was compromised the group dumped passwords and looked for administrator accounts, to maximize their access. A primary concern was obtaining VPN credentials, so hackers could escalate access to more secure areas of a victim's infrastructure, or use the VPN accounts as more stable backdoors. This was all done while managing to fly under the radar for a long period of time.
The group’s stealth can be attributed to the use of legitimate tools that would not flag suspicion from security software installed on the network. If they had installed custom made malware their chances of been caught would have been significantly higher. This is a tactic employed by many other APT groups across the globe. What did pique the interest of the researchers is that it appeared that the group managed to bypass 2FA protections attached to victims' VPN accounts. How this exactly done is not yet known but researchers did find related evidence to how the accounts could have been compromised.
From the researchers' analysis, it would appear that APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will. Software tokens are a form of two-factor authentication that are stored on devices such as a desktop or laptop PC which are sometimes used authorize access to the PC or services. These codes can be duplicated and in the past have been exposed by hackers in previous attacks. Hardware tokens are deemed more secure as the tokens are stored on the piece of hardware and cannot be duplicated. However, normally software tokens in many cases need to be connected to a physical piece of hardware. The device and the software token would then generate a valid 2FA code. If the device was missing, the RSA SecureID software would generate an error.
The researchers explained how the group may have been able to bypass 2FA, stating that:
“The software token is generated for a specific system, but of course this system-specific value could easily be retrieved by the actor when having access to the system of the victim…As it turns out, the actor does not actually need to go through the trouble of obtaining the victim's system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all…In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.”
The danger posed by APT groups, in general, is clearly on display with APT20 and even when tactic are changed they still seem to be able to rewrite the rules regarding breaking into networks unannounced. In the past APT20 rose to the public’s attention following a series of attacks that seemingly began in 2011. In that instance, the group targeted companies in the chemical sector. These attacks were further characterized by the use of a trojan named PoisonIvy. These attacks were deemed to be motivated by gaining competitive edges over the competition with regards to the chemical sector. Given the list of numerous economic sectors targeted by APT20, it is safe to assume this may yet still be the case. Symantec concluded in 2011 that these attacks primarily focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs, formulas, and manufacturing processes. While the tactics have changed it would seem the overall goal has not.