Security researchers have discovered a hacker group has been bypassing 2FA, more commonly known as two-factor authentication. The group, known as APT20, has ties to the Chinese government and that they have been targeting other government entities. A Dutch security firm called Fox-IT was the one to discover the attacks and publish a report on it.
The hacker group’s activities date back all the way to 2011, however, the report states that security researchers lost track of APT20 once they change their modus operandi. Its only in the last two years that Fox-IT has been able to figure out what the group has been up to. The group had allegedly been infiltrating targeted computers using a sophisticated method of first isolating a vulnerable machine on the target network. Then, the group would install web shells and start looking for administrator passwords on the machine. What stood out to the researchers was that fact that APT20 was able to connect to VPNs protected by 2FA.
Fox-IT notes that they aren’t sure about how APT20 managed to bypass 2FA on those VPN accounts, but do offer a hypothetical. “The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim.
As it turns out, the actor does not actually need to go through the trouble of obtaining the victim's system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all.
In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.”
While the hacker group was only focused on infiltrating government institutions, what’s rather scary is that they were able to find a way to circumvent 2 factor authentication, currently one of the most secure ways of keeping your account safe. The report doesn’t state whether the fundamental nature of 2FA has been violated, or whether it was only a weak link in the entire authentication chain that allowed the hackers to pull this off.
from Latest Technology News https://ift.tt/2ZkAxWa
Comments
Post a Comment