A Chinese government-linked hacking group is believed to be behind a wave of worldwide attacks, bypassing two-factor authentication (2FA) in the process.
According to a report by Dutch cyber-security firm Fox-IT, the group is targeting government entities and service providers in fields like healthcare, insurance, finance, and aviation industries. The group behind the attacks is being tracked as APT20.
Researchers at Fox-IT revealed the hackers were specifically looking for exploits in JBoss, an application used across large networks but often found on government and corporate machines.
JBoss was used as an initial point of entry into systems before the hackers spread out across large servers where they harvested passwords and gained VPN access.
The biggest hurdle overcome by the hackers was two-factor authentication. Fox-IT explains the group managed to steal software tokens used for RSA SecureID system. By default, this system will show an error message when the hardware component is missing from the authentication process, but the attackers were smart enough to patch this check. From there, they only needed to generate 2FA codes to pass all the checks they encountered. To a hacked computer system, this all checked out as legitimate day-to-day usage.
Eventually, their services were requested by one company that managed to detect malicious activity on its servers. The hackers were quickly booted from the system, but their identities remain unknown.