Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Multi-factor & Risk-based Authentication

Researchers: Chinese APT Espionage Campaign Bypasses 2FA

Fox-IT Suspects APT20 Group Was Involved

An advanced persistent threat espionage campaign with suspected ties to the Chinese government quietly targeted businesses and governments in 10 countries for two years, bypassing two-factor authentication, according to a report by Fox-IT.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

The campaign, dubbed Wocao, targeted government and managed service providers while managing to be "under the radar," the Netherlands-based security firm notes.

"Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes," report notes. "With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20."

APT20, also known as TH3Bug and Twivy, has been active since 2009 and is known to rely on watering hole attacks - which involve compromising legitimate websites and installing malware to target website visitors, an earlier report by Palo Alto Networks noted.

The Fox-IT report does not mention if the campaign is still active or identify the malware strain used by the threat group. But it states the campaign was active across 10 countries, including the U.S, several European countries and China.

Bypassing 2FA

According to the FOX-IT report, the attackers were able to bypass two-factor authentication by targeting devices of employees with privileged access to the company's network.

"On these systems, the contents of passwords vaults (password managers) are directly targeted and retrieved," the report states.

To gain this access these devices, the attackers first targeted devices with vulnerable webservers - often those running a version of JBoss, a popular enterprise application platform.

"Such vulnerable servers were observed to often already be compromised with webshells, placed there by other threat actors," the report notes. "The actor actually leverages these other webshells for reconnaissance and initial lateral movement activity. After this initial reconnaissance the actor uploads one of its own webshells to the webserver."

Once the attackers gained persistence by compromising the VPN credentials, they bypassed 2FA, the researchers say.

Fox-IT researchers note that this was likely achieved by stealing an RSA SecureID token, which was then used to generate valid one-time codes in the attacker's systems to bypass the 2FA.

"In short, all the actor has to do to make use of the 2-factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens," the report notes.

After bypassing the authentication, the attackers then proceeded to perform privilege escalation and gain lateral movement, then collect and exfiltrate data and communicate with the command and control, the researchers say.

While performing these activities, the threat actors were also careful to remove files that could trace their activities, thus making the detection of the group's activity hard, according to the research report.

"As much as is possible, they remove file system-based forensic traces of their activities, making it much harder for investigators to determine what happened after the fact," the report adds.

Rising Chinese APT Threat

Chinese APT groups are known for their complex cyberespionage campaigns carried against specific targets to compromise their systems and gain specific information.

In another incident, another Chinese group, APT5, targeted flaws in Pulse Secure and Fortinet SSL VPNs for more than six weeks, security experts said (see: Chinese APT Groups Began Targeting SSL VPN Flaws in July).

In November, another Chinese advanced threat group, APT41, used a new espionage tool to intercept SMS messages from phone numbers by infecting mobile telecommunication networks, according to the security firm FireEye Mandiant (see: Chinese APT Group Targets Mobile Networks: FireEye Mandiant).

Another report by FireEye noted that Chinese APT groups targeted cancer research organizations across the globe to steal their research (see: Chinese APT Groups Target Cancer Research Facilities: Report).