Chinese hacking group APT20 bypassing 2FA in latest wave of attacks

Hacking activities of APT20 date back to 2011

A hacking group linked to the Chinese state has been found bypassing two-factor authentication (2FA) security in a series of attacks targeting government organisations and managed service providers.

The activities of the group, believed to be APT20, were detailed in a report published last week by Dutch cyber security firm Fox-IT [PDF].

APT20 is believed to be a Chinese-government controlled group. It is thought to have targeted several universities, as well as healthcare, military, and telecoms companies between 2011 and 2014. The group then went dormant for a couple of years, as it changed its mode of operation, before resurging again in 2017, according to Fox-IT.

In the past two years, APT20 has launched attacks against several government entities and managed service providers operating in fields like finance, healthcare, aviation, energy, insurance, and even gambling.

The researchers at Fox-IT uncovered APT20's latest hacking activities last year while analysing the computer systems in an organisation that had been compromised by some group of hackers.

The initial findings enabled researchers to uncover dozens of similar attacks that appeared to have been carried out by the same group in Spain, Brazil, Mexico, and other countries.

According to researchers, APT20 usually gained entry into an organisation's systems by exploiting a vulnerability on web servers. They would then infiltrate deeper into the organisation's network to find individuals with privileged access to the most critical parts of the network.

They would then place keyloggers on system administrators' machine in efforts to record keystrokes and to steal passwords.

In one instance, the group was able to connect to VPN accounts protected by 2FA. The Fox-IT team believes APT20 likely stole an RSA SecurID software token from a hacked system, and used it on its own computers to generate valid one-time codes. This enabled them to bypass 2FA at will.

"The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim," the researchers explained.

"As it turns out, the actor does not actually need to go through the trouble of obtaining the victim's system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor token."

"This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all."

APT20 has been able to stay under the radar over the past two years despite using relatively simple tools and techniques.

They were able to that by using legitimate tools that were already installed on compromised devices. Had they downloaded their own custom-built malware, it could have been detected by security software, the researchers believe.