Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
China Security

Chinese Hacker Group Caught Bypassing 2FA (zdnet.com) 27

Security researchers say they found evidence that a Chinese government-linked hacking group has been bypassing two-factor authentication (2FA) in a recent wave of attacks. From a report: The attacks have been attributed to a group the cyber-security industry is tracking as APT20, believed to operate on the behest of the Beijing government, Dutch cyber-security firm Fox-IT said in a report published last week. The group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks.

The Fox-IT report comes to fill in a gap in the group's history. APT20's hacking goes back to 2011, but researchers lost track of the group's operations in 2016-2017, when they changed their mode of operation. Fox-IT's report documents what the group has been doing over the past two years and how they've been doing it. According to researchers, the hackers used web servers as the initial point of entry into a target's systems, with a particular focus on JBoss, an enterprise application platform often found in large corporate and government networks.

This discussion has been archived. No new comments can be posted.

Chinese Hacker Group Caught Bypassing 2FA

Comments Filter:
  • A great firewall? (Score:3, Insightful)

    by RitchCraft ( 6454710 ) on Monday December 23, 2019 @12:33PM (#59550606)
    Maybe it's time for the rest of the world to build a great firewall around rogue countries like China?
    • Or perhaps Companies need to really up their security game, and not think If I install this one App from that schismatic sales man I will be perfectly safe.

    • by raymorris ( 2726007 ) on Monday December 23, 2019 @03:10PM (#59551286) Journal

      Many companies and web sites block China and Russia IPs. If you don't have customers or employees in China, no reason to expect legitimate connections from there, blocking them can make sense. That will make you invisible to their scans for vulnerable targets.

      That won't necessarily work if you are Lockheed and they've SELECTED you as a target. They'll just use proxies in that case. But it helps avoid being discovered in general scans for any vulnerable system.

  • by NuclearCat ( 899738 ) on Monday December 23, 2019 @12:38PM (#59550628) Journal
    They hacked software tokens. Use of software token on insecure OS/hardware is same bad as storing your passwords in passwords.txt
    • They hacked software tokens. Use of software token on insecure OS/hardware is same bad as storing your passwords in passwords.txt

      Yep, that's why I named my password file "pwd.txt" so no one would figure it out.

    • Security is hard. So it's sensible to outsource critical services to someone who understands it better than you. Our it would be, were it not for this problem: how can you tell that someone understands something better than you do?

      • > Our it would be, were it not for this problem: how can you tell that someone understands something better than you do? They give you a zero knowledge proof of your inferiority, proving their superiority while keeping you a dumb fuck.
      • That's an interesting question. I have a couple of strategies that I use for evaluating the expertise of someone who is supposed to know things that I don't know.

        First, it's been said that to really understand something, try to teach it. I teach as part of my job, and I've found that's true - I order to teach it clearly, I have to really know it. So ask the supposed expert a couple of questions and see if they can give clear answers that really explain it, so that I can understand it. Not pitch "our amazin

    • by raymorris ( 2726007 ) on Monday December 23, 2019 @03:20PM (#59551328) Journal

      The way the 2FA system works, the client and the authentication server share a secret. That allows the server to authenticate the code which is generated by the client.

      The hackers hacked into the authentication server to get the secret codes.

      I just built a 2FA system and keeping the shared secrets secret is a major concern that I considered. One thing I did was use Tripwire to alert us if any files are changed on the auth server. Another thing I did was create a separate user which is the only user who can access the secrets file. I also removed any and all unused software from the auth server.

      The other thing the hackers did in this case is that the 2FA client has a protection which prevents generating codes for accounts that weren't originally setup with that copy of the client. The bad guys patched out that bit of code by changing a byte or two in the binary.

    • Depends on the software tokens. I remember SecurID having source code divulged a number of years back, forcing people to have to re-buy all new RSA tokens. I wonder if something is amiss with that.

      On the other hand, if Google's OATH/TOTP is being used, which is open source, well checked for attacks, and is used by the big names (Google, Facebook, Microsoft, Amazon), has a weakness, that would be horrifically bad... but from TFA, it looks like it is just the SecurID closed source stuff.

      Moral of the story:

  • A million ChiCom apologist shills will be in here to cry out in anguish about the US.

  • by jargonburn ( 1950578 ) on Monday December 23, 2019 @12:52PM (#59550684)

    The group's primary targets...were active in fields like...physical locks

    *Chuckle*

  • This has to be why Google sent me a notification saying "bruh, you're in great danger, buy these physical keys!" the other day whiIe was fucking around with the old Xiaomi.
  • by BAReFO0t ( 6240524 ) on Monday December 23, 2019 @01:09PM (#59550770)

    This is exactly the shit that actual 2FA would prevent.

    But I've realized why they abuse saying "2FA" for this nonsense:
    Because real 2FA is about protecting the *user*, while their "2FA" is exclusively about protecting *them* (fuck the users).
    Real 2FA does its job on the client! You need to combine the two factors to get a valid key! Not on the server, to be combined there separately! That is just once 1FA (e.g. a password) and once a less secure or useless 1FA (like owning a phone or a picture of somebody's face).

  • If you must use a software token, ensure it's on a different device from the device that consumes the token codes.

  • Missing from the article. https://resources.fox-it.com/r... [fox-it.com]
  • by nuckfuts ( 690967 ) on Monday December 23, 2019 @01:38PM (#59550884)
    The impression I got from the summary is that the hackers somehow figured out how to bypass TFA to "get in" to the victim's systems. It was, in fact, the other way around. They were able to steal software tokens and "patch" TFA on systems that were already deeply compromised by other means.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...