Security researchers said they found evidence that a Chinese hacking group linked to the Chinese government exceeded two-factor authentication (2FA) in a wave of recent attacks named after the Wocao process, and the Dutch company Cyber ​​Security Fox IT said in a report: Attacks were attributed to the APT20 group, which is believed It works at the request of the Beijing government.

The main objectives of the group were government entities and managed service providers (MSPs), where government entities and civil society organizations are active in areas such as aviation, health care, finance, insurance, and energy.

The Fox IT report comes to bridge the gap in the group’s history, which dates back to 2011, but researchers lost their operations between 2016 and 2017 when they changed their way of working. The new report documents APT20’s activities over the past two years and how they have been doing so.

According to the researchers, hackers have used web servers as the primary point of entry to target systems, with a particular focus on JBoss, a project implementation platform often found in government networks and large corporations, and APT20 has used vulnerabilities to access these servers, install malware and deploy them across internal systems To the victim.

Fox IT said: The group’s main concern was to obtain VPN data, so that hackers could increase privileges in order to access safer areas in the victim’s infrastructure or use VPN accounts as a more stable backdrop, although this activity appears to be a significant hacking activity over the course of The past two years, however, the group has managed to stay out of sight.

APT20 did this using legitimate tools that were already installed on compromised devices, rather than downloading its own malware, which could have been detected by local security software, but that was not the most prominent thing in all the attacks investigated by Fox IT, and he said Company analysts: They found evidence that hackers are connected to VPN accounts protected by 2FA two-factor authentication.

It is still unclear how they did this, but according to Dutch security company theory, APT20 stole the RSA SecurID token from a compromised system, and used it on its own computers to generate valid one-time codes and bypass 2FA authentication.

Usually, this command is not possible, as the user needs to use one of the tokens for this program to connect a physical device to the computer in order for the device and the program token to create a valid two-factor authentication code, and if the device does not exist, the RSA SecureID program generates an error.

Source : Fox IT