Chinese Hackers Successfully Managed to Bypass 2FA in Recent Wave of Attacks
Two-factor authentication (2FA) is often recommended (and enforced) by some companies as an additional layer of security. It is supposedly infallible as one part of the puzzle is always with the user, making it difficult for anyone remotely to compromise a system. While there are ways to bypass 2FA, it is rather difficult. A hacking group reportedly sponsored by the Chinese government has successfully managed to bypass 2FA in an eerily sophisticated way.
According to a report by Dutch cyber-security firm Fox-IT, hacker group APT20 targeted government and private entities in over ten countries including Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. Aviation, healthcare, finance, insurance, and energy companies were the primary targets of the hack, which came to light when one of the affected companies contacted Fox-IT.
Hackers Successfully Managed to Steal an RSA SecurID Software Token
The RSA SecurID authentication mechanism consists of a hardware or software "token". APT20 successfully managed to steal one such RSA SecurID software token and then used it to generate valid software keys at will. These tokens are practically useless without accompanying hardware, but the hackers found a way around that too. Here's how Fox-IT thinks they did it:
The actor does not actually need to go through the trouble of obtaining the victim's system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all.
As a result, APT20 could now freely log in to company VPNs, further strengthening their presence in the network. The groups used web servers as the initial point of entry into a target's systems, especially ones that ran JBoss, an enterprise application platform commonly used by governments and large corporations. Furthermore, they used pre-existing tools that were already installed on the hardware instead of custom-designed malware, which would get flagged immediately. They even made sure to clean up any traces of their activities. A combination of the above factors is why the group managed to stay undetected for so long. You can read the report in its entirety here.
While the prospect of 2FA being compromised is a terrifying one, there is no reason to stop using it entirely. It is arguably one of the most robust forms of security we have right now and will continue to be until we figure out how to add a third authenticating factor.