Two-factor authentication (2FA) is widely held up as one of the most effective ways to prevent hackers from gaining access to secure systems. Hackers have been following complicated processes to bypass the system but now it seems a hacking group APT20, has found a new, much simpler, way to bypass the entire process.
Security researchers from Fox-IT Holding released a full report into the group last week where they say that-“The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim. As it turns out, the actor does not actually need to go through the trouble of obtaining the victim’s system-specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system-specific value at all.”
In other words, each software token generated has a system-specific value which is easily acquired when the hacker has access to the victim’s system. The researchers have now discovered that the hacker doesn’t actually need to get hold of the victim’s system-specific value. All they need to do is to patch the check which verifies whether the token that was imported was generated for that specific network in order to gain access.
APT20 are alleged to be linked to the Chinese government and has been accused of hacking networks across the world. It is thought that they stole an RSI SecurID software token from a hacked system which they then altered to work on other systems too.
Indicators of compromise related to this actor can be found on FOX-IT GitHub page.