Chinese hackers bypass two-factor authentication

This is speculation at its finest. TL;DR “We don’t know how they did it”…:

[…] While the researchers couldn’t be sure of the exact method used, they did provide a theory on how APT20 may have gained access to a VPN that was protected with two-factor authentication.

This could have been done by the hackers stealing an RSA SecurID software token, and then using this to generate the two-factor authentication codes.

This method isn’t supposed to be possible though, with the protection requiring access to a different physical device.

“As it turns out, the actor does not actually need to go through the trouble of obtaining the victim’s system specific value, because this specific value is only checked when importing the SecurID Token Seed and has no relation to the seed used to generate actual 2-factor tokens,” Fox-IT said in the report.

“This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system and does not need to bother with stealing the system specific value at all.

“In short, all the actor has to do to make use of the 2-factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.”

[…]

Original article here