Dutch security firm Fox-IT reports that the Chinese hacker group APT20 was found to be able to bypass two-step verification in a recent attack. The organization’s main objectives are government agencies and management service providers. Security researchers say hackers use web servers as the initial entry point to the target system, using JBoss, a enterprise-class application platform commonly used by large enterprises and government agencies.
APT20 exploits vulnerabilities to access these web servers, install web shells, and gradually penetrate into the system. Hackers then look for administrator accounts and VPN accounts used to access the intranet from the outside.
Security researchers have found that hackers can bypass two-step authentication used by VPN accounts, and they suspect it may have been the hacker who stole rsA SecurID software tokens and used it to generate valid one-time code.