Security researchers have found evidence of a hacker group from China bypassing 2-factor authentication, also known as 2FA. The group behind the hack – APT20 – has connections to the Chinese government and appears to be targeting other governments outside of China. The hack was discovered by Dutch security firm Fox-IT. Fox-IT wrote a report on the hack after their discovery.
Chinese Based Hacker Group APT20 Breaks 2FA
APT20 has been active since at least 2011, but the report claims the group disappeared into the ether after they changed their M.O. They only came back to prominence in the past few years and Fox-IT was finally able to track them down and see what they have been up too. Allegedly, the group has been targeting computers with a highly sophisticated method by isolating vulnerable machines on a network. The group then installs web shells on the device and looks for administrator passwords.
Even though Fox-IT know that the group broke 2FA, they still aren’t sure how they actually did it. They did propose a hypothetical answer, though; “The software token is generated for a specific system, but of course this system-specific value could easily be retrieved by the actor when having access to the system of the victim.” One thing that really stood out to the researchers was how the hacking group could connect to VPNs that used 2FA protection.
According to Fox-IT, the hacker wouldn’t need to obtain the system-specific value as they are only checked when the SecurID Token Seed is imported. It doesn’t actually have any connection to the seed that is used to generate the 2-factor token. The threat actor could just patch the check that verifies the token was indeed generated for the system without needing to steal the actual system-specific value.
To keep things short and simple, an actor would only have to steal the RSA SecurID Software Token and patch in an instruction to generate valid tokens. From there, bypassing the 2FA would be simple.
Has 2FA Been Completely Compromised?
While ATP20 is only focused on bypassing government institutions, it is scary that they found a way to bypass 2-factor authentication. 2FA is currently one of the best and most secure methods for keeping accounts safe from hackers. The Fox-IT report doesn’t say if 2FA has been wholly compromised or if this is just a weak link in the chain that the hackers were able to exploit.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.