APT20 Finds Their Way to Bypass 2FA

Delaware, USA – December 23, 2019 – Chinese state-sponsored cyberespionage group resurfaced with new operations targeted at multiple industries, Managed Service Providers, and government entities. Fox-IT experts discovered the APT20 group’s activity during the investigation of a data breach in one of the attacked organization and dubbed the campaign “Operation Wocao.” The group has been active since at least 2011 and disappeared from researchers’ radars about 2-3 years ago, moving from custom malware to leveraging of living off the land techniques and common tools to make it difficult to attribute attacks. APT20 compromises web servers exploiting known vulnerabilities to obtain an initial foothold, especially preferring the JBoss enterprise application platform for these purposes. After penetration, the adversaries install the web shell, steal admin passwords and move laterally across the victim’s network. Also, attackers are interested in obtaining VPN credentials, so that in the future they can be used to connect to important systems directly.

It is noteworthy that in some cases, the APT20 connected to VPN accounts bypassing two-factor authentication. There is still no exact description of how the attackers succeeded, but the researchers claim that the hackers obtained RSA SecurID software token on a compromised system, and also modified the check which verifies if the token was generated for this system.

Content to detect such attacks available on Threat Detection Marketplace:
VPN Security Monitor helps SIEM to detect signs of abuse or unauthorized access to the VPN service: https://my.socprime.com/en/integrations/vpn-security-monitor
Web Application Security Framework minimizes risks related to the usage of publicly accessible web resources. https://my.socprime.com/en/integrations/web-application-security-framework