APT20: The limits of MFA exposed by a Chinese hacker group
What is APT20?
APT20 is a China-based hacking group, likely working to support the interests of the Chinese government and tasked with obtaining information for espionage purposes.
The group targets government entities and Managed Service Providers (MSPs) which are active in finance, insurance, healthcare, aviation, energy and maybe other sectors. As of today, approximately ten countries were targeted like France, USA, UK, Brazil, Germany, Italy, Mexico, Spain, Portugal and even China.
According to the experts of Fox-IT, APT20 recently exploited a vulnerability in JBoss (enterprise application platform for corporate and government networks) web servers as the initial point of entry into their target’s systems. APT20 then succeeded in spreading widely into the compromised internal systems. During the course of their intrusion, they dumped passwords of administrator accounts to maximize their access. Their intrusion was particularly hard to detect because they used tools already in place on the web servers (of JBoss), a technique known as “living off the land”.
What concerns us in this post is that APT20 succeeded in logging in maintaining access to the compromised systems by logging in a VPN account protected by Multi-Factor Authentications. As described by Fox-IT, APT20 probably stole a software token in use in the victim’s organization during their intrusion. By patching some instructions in the source code, they could have bypassed the software’s security and installed it on their computer, which would then enable them to generate valid OTPs (One-Time Password) for this VPN account.
What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is a security system that confirms the identity of a person by requiring at least two different types of credentials (what I know, what I own or what I am). There are three types of authentication factors which can all be combined:
- Things you know, such as a password or PIN code;
- Things you have, such as a smartphone or a physical token;
- Things that belong to you and define who you are, such as fingerprints or facial features.
Thus, in addition to username and password (something the user knows), MFA security systems require another piece of evidence, such as a code sent to the user’s smartphone or generated by a Security Token (something the user owns), or biometric factor such as a fingerprints or facial features (something that defines the user).
What are the benefits?
This question is easy to answer. The main objectives of MFA are to avoid password theft by phishing/malware methods or brute-force attacks: the MFA raises the security level for authentication and access management.
MFA solutions should be adopted by everyone. We all have sensitive data to protect. Especially in the business world, for people who have specials access rights on the internal information system. The attackers’ preferred targets are people with strategic positions who can access sensitive data.
Is MFA still reliable?
2FA or MFA are still effective against brute force attacks. Google Online Security Blog wrote about “How effective is basic account hygiene at preventing hijacking” and found that an SMS code sent to a recovery phone number helped block:
- 100% of automated bots;
- 96% of bulk phishing attacks;
- 76% of targeted attacks.
Of course, it is not sufficient against targeted attacks or groups using specific operating modes for hijacking the MFA.
Multi-Factor Authentication is a good solution to improve access management but is not the panacea. There are many examples where the MFA was bypassed and particularly the 2FA (Two-Factor Authentication):
- In 2011 and December 2019: Stolen Physical RSA SecurID tokens used to bypass 2FA systems;
- In 2012, the Gmail account of Cloudflare’s CEO was hacked by exploring a vulnerability in the process of passwords renewal which allowed the attacker to bypass Google’s 2FA.
There is another limitation of the 2FA, mainly based on SMS. The National Institute of Standards and Technology (NIST) does not recommend this method, saying these passwords are too exposed to cyber attacks. There are indeed numerous techniques to intercept OTP sent by SMS: Man-in-the-Middle attacks, real-time phishing, sim swapping, SS7 interception, network attacks or malware. Specific Android malware like Anubis II or Ginp can intercept any SMS. Another issue of OTP SMS is about the security of the network which cannot be guaranteed. Indeed, some vulnerabilities in cellular network technologies make it possible to intercept cellular network traffic. Another issue of OTP SMS is the security of the network, which cannot be guaranteed. Indeed, some vulnerabilities in cellular network technologies make it possible to intercept SMS traffic.
As shown by APT20, some issues are remaining for the implementation of MFA. Attackers could have access to their victim’s email account (non-protected by MFA), recover the software token intended for their victim and link their own device such as a burner phone, which is particularly difficult to trace. Or if they can access the MFA administration console, they could create a new user account and link their devices.
Despite existing vulnerabilities, the EU Revised Directive on Payment Services (PSD2), in effect since 14th September 2019, imposed the 2FA for online operation (and contactless payment).
Although 2FA is bringing more security than the simple authentication, we are now talking about Adaptative Authentication which can be the best security solution. It works by creating a profile for each user, including information such as his geographical localization or his role. When the user tries to authenticate, the request is evaluated with a risk score and depending on this score, and the user may have to provide additional credentials. For example, these credentials can be checked by contextual elements like:
- The environment, such as geographical location of the user, to identify unusual travel routines or other blacklisted locations. It is mainly done by checking the IP address of the user’s device or his GPS location information;
- The properties of the device used for authentication. This kind of authentication is performed in 2 ways: device recognition and device characteristics (system configuration and geographical location);
- User attributes (age, role, etc.);
- Behavior based on the user and the location from which he has previously logged-in;
- Risk based authentication established from a risk score calculated by various criteria like the sensitivity of the resources requested, the severity of the system or the status of firewalls and anti-virus software of the device.
For example, Google’s services can detect unusual connections, for instance when a user tries to connect for the first time from a foreign country. He must then confirm his identity (using one of the previous authentication methods).
Although MFA and Adaptative Authentication bring numerous advantages to secure authentication, they also bring some risks. Think these methods could be bypassed (e.g. falsification of GPS location by using a VPN). Moreover, they require more personal data, which could be eventually exposed on the Internet, or could be stolen and then used maliciously with well-known attacks such as identity theft, phishing or ransom.
Therefore, organizations that implement MFA systems should be concerned about MFA bypassing techniques, and any potential operational error that could prevent such systems from doing their job!
Sources:
- https://twistarticle.com/chinese-apt20-hacker-group-bypassing-2fa-in-latest-attacks/
- http://www.avignon-delta-numerique.com/authentification-a-double-facteur-est-elle-fiable/
- https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/
- https://siecledigital.fr/2019/12/24/apt20-a-contourne-la-securite-a-double-authentification/
- https://www.zdnet.fr/actualites/des-hackers-chinois-contournent-l-authentification-a-deux-facteurs-39896369.htm
- https://itsocial.fr/actualites/des-pirates-chinois-du-groupe-apt20-ont-reussi-a-contourner-lauthentification-a-deux-facteurs-2fa/
- https://www.futura-sciences.com/tech/actualites/cybersecurite-hackers-dejouent-protection-double-authentification-78943/
- https://www.lemagit.fr/definition/Authentification-a-double-facteur
- https://www.onelogin.com/learn/what-why-adaptive-authentication
- https://en.wikipedia.org/wiki/RSA_SecurID
- https://www.centrify.com/blog/what-is-adaptive-authentication/
- https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
- https://www.csoonline.com/article/3504276/cloudflare-boss-s-gmail-hacked-in-redirect-attack-on-4chan.html
- https://www.threatfabric.com/blogs/anubis_2_malware_and_afterlife.html
- https://www.bleepingcomputer.com/news/security/ginp-android-banker-sets-as-default-sms-app-steals-all-text/
- https://medium.com/@WWPass/problems-and-vulnerability-of-one-time-passwords-over-sms-834f5bb83e5a