Hackers from China Learn to Bypass Two-Factor Authorization

Hackers around the world continuously test systemssecurity firms, government and financial organizations, in an effort to illegally obtain the necessary information or steal funds. Some hacker groups, such as APT20 from China, are sometimes associated with official authorities. Fox-IT released a report, Operation Wocao: Shedding Light on One of China's Hidden Hacking Groups, which talks about the work of APT20 members who recently circumvented two-factor authorization (2FA) and penetrated the servers of one of the largest corporations.

APT20 grouping uses hidden methodwork, exercise extreme caution. The organization’s trail disappeared in 2011, and many experts began to talk about stopping the APT20. Meanwhile, according to Fox-IT experts, the hackers worked on a method for circumventing two-factor authentication to ensure penetration of corporate networks into servers. At the same time, the attackers adhere to the principle of using standard solutions, without creating their own software by which they can be tracked.

Overcoming a two-factor authorization systemmade possible after the abductions of the RSA SecurID token, from the network needed by the attackers. Based on this token, hackers were able to create only one key, which opened access to the system. There is no need to get physical access to generate a system access code. When there is no need to import the RSA SecurID core and create access keys from different places, the check is limited to the character area of ​​the key, which was done by the “experts” from APT20.

However, an investigation into the incident revealed thatthis method is not a vulnerability of the 2FA method, since hackers received the RSA SecurID token, either from the insider’s hands or simply stolen, which facilitated their access to the system. Currently, hackers are expelled from the corporation’s network, and no damage is reported.

Source: FoxIT