Chinese Hacker Group Caught Bypassing 2FA (zdnet.com) 27
Security researchers say they found evidence that a Chinese government-linked hacking group has been bypassing two-factor authentication (2FA) in a recent wave of attacks. From a report: The attacks have been attributed to a group the cyber-security industry is tracking as APT20, believed to operate on the behest of the Beijing government, Dutch cyber-security firm Fox-IT said in a report published last week. The group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks.
The Fox-IT report comes to fill in a gap in the group's history. APT20's hacking goes back to 2011, but researchers lost track of the group's operations in 2016-2017, when they changed their mode of operation. Fox-IT's report documents what the group has been doing over the past two years and how they've been doing it. According to researchers, the hackers used web servers as the initial point of entry into a target's systems, with a particular focus on JBoss, an enterprise application platform often found in large corporate and government networks.
The Fox-IT report comes to fill in a gap in the group's history. APT20's hacking goes back to 2011, but researchers lost track of the group's operations in 2016-2017, when they changed their mode of operation. Fox-IT's report documents what the group has been doing over the past two years and how they've been doing it. According to researchers, the hackers used web servers as the initial point of entry into a target's systems, with a particular focus on JBoss, an enterprise application platform often found in large corporate and government networks.
A great firewall? (Score:3, Insightful)
Re: (Score:2)
Or perhaps Companies need to really up their security game, and not think If I install this one App from that schismatic sales man I will be perfectly safe.
Block China, Russia if no legit access (Score:4, Informative)
Many companies and web sites block China and Russia IPs. If you don't have customers or employees in China, no reason to expect legitimate connections from there, blocking them can make sense. That will make you invisible to their scans for vulnerable targets.
That won't necessarily work if you are Lockheed and they've SELECTED you as a target. They'll just use proxies in that case. But it helps avoid being discovered in general scans for any vulnerable system.
but failed to mention how (Score:4, Informative)
Re: (Score:2)
They hacked software tokens. Use of software token on insecure OS/hardware is same bad as storing your passwords in passwords.txt
Yep, that's why I named my password file "pwd.txt" so no one would figure it out.
Re: but failed to mention how (Score:2)
That is not quite up to the modern requirements. I use the longer form password.txt for more entropy.
Re: (Score:2)
I'm thinking "password1.txt" for even more entropy, and no one would ever bother to open a file with such a boring name.
My real passwords are hidden in "LesbianAnalFistingPissFreakBondageNuns.txt" because most people won't even admit to reading the file name.
Re: (Score:2)
Re: but failed to mention how (Score:2)
Please. Everyone knows it should be p4$$w0rd1!.txt
It's almost like a Zen koan. (Score:2)
Security is hard. So it's sensible to outsource critical services to someone who understands it better than you. Our it would be, were it not for this problem: how can you tell that someone understands something better than you do?
Re: It's almost like a Zen koan. (Score:1)
Can they explain it so that you understand it? (Score:2)
That's an interesting question. I have a couple of strategies that I use for evaluating the expertise of someone who is supposed to know things that I don't know.
First, it's been said that to really understand something, try to teach it. I teach as part of my job, and I've found that's true - I order to teach it clearly, I have to really know it. So ask the supposed expert a couple of questions and see if they can give clear answers that really explain it, so that I can understand it. Not pitch "our amazin
Hacked the 2FA server (Score:4, Informative)
The way the 2FA system works, the client and the authentication server share a secret. That allows the server to authenticate the code which is generated by the client.
The hackers hacked into the authentication server to get the secret codes.
I just built a 2FA system and keeping the shared secrets secret is a major concern that I considered. One thing I did was use Tripwire to alert us if any files are changed on the auth server. Another thing I did was create a separate user which is the only user who can access the secrets file. I also removed any and all unused software from the auth server.
The other thing the hackers did in this case is that the 2FA client has a protection which prevents generating codes for accounts that weren't originally setup with that copy of the client. The bad guys patched out that bit of code by changing a byte or two in the binary.
Re: (Score:3)
Depends on the software tokens. I remember SecurID having source code divulged a number of years back, forcing people to have to re-buy all new RSA tokens. I wonder if something is amiss with that.
On the other hand, if Google's OATH/TOTP is being used, which is open source, well checked for attacks, and is used by the big names (Google, Facebook, Microsoft, Amazon), has a weakness, that would be horrifically bad... but from TFA, it looks like it is just the SecurID closed source stuff.
Moral of the story:
Watch this (Score:2)
A million ChiCom apologist shills will be in here to cry out in anguish about the US.
Ahem (Score:3)
The group's primary targets...were active in fields like...physical locks
*Chuckle*
So this is why (Score:1)
Mmmbecause it isn't 2FA! (Score:3)
This is exactly the shit that actual 2FA would prevent.
But I've realized why they abuse saying "2FA" for this nonsense:
Because real 2FA is about protecting the *user*, while their "2FA" is exclusively about protecting *them* (fuck the users).
Real 2FA does its job on the client! You need to combine the two factors to get a valid key! Not on the server, to be combined there separately! That is just once 1FA (e.g. a password) and once a less secure or useless 1FA (like owning a phone or a picture of somebody's face).
This is why you don't use desktop-based tokens (Score:2)
If you must use a software token, ensure it's on a different device from the device that consumes the token codes.
The actual report as pdf (Score:1)
Slightly Misleading Summary (Score:5, Informative)