Chinese hackers have found an easy way to break into two-factor authentication system

The company Fox-IT, working in the field of cybersecurity, has published a report on the activities of the hacker group APT20. According to the characteristic handwriting of the work, it is considered Chinese, working in conjunction with the authorities. Recently, APT20 members had to be expelled from the servers of one corporation, which they penetrated by tricking the two-factor authentication system (2FA).

APT20 is an extremely cautious and secretive organization. The last time she made itself felt in 2011, and for a long time was considered "lost", retired. Instead, the enterprising Chinese, as it turned out, were preparing to hack the two-factor authentication system in order to continue to provide themselves with comfortable penetration into other people's networks. This is their professional trait - not to implement any of their own, additional software, to use only standard solutions so as not to attract attention.

Experts said the following about the 2FA hack. Apparently, the hackers managed to steal the RSA SecurID token from the system they were interested in, after which they forged only one access key based on it. It turned out that it was not at all necessary to obtain physical access to the system or its unique digital signature in order to generate the necessary access codes. If there is no purpose to import the RSA SecurID core and make access keys from different places, then the verification is limited to the character area of ​​the key. The same one that was successfully forged in APT20.

This can hardly be called a vulnerability, because during the investigation, experts came to the conclusion that someone had transferred the original token to the hackers. Or they stole it themselves, but if you already have a part of the key to the lock, breaking it becomes much easier. And this is not a reason to refuse such protection. The actions of APT20 were blocked, and the corporation was asked not to talk about the damage caused by the hackers.