Security experts from
The attacks aimed at government entities and managed service providers (MSPs) that were active in many industries, including aviation, healthcare, finance, insurance, energy, and gambling.
The APT20 group has been active since at least 2011, but experts did not associate any campaign with this threat actors between 2016 and 2017.
Over the last two years, the group targeted government and large corporate networks by attempting to exploit vulnerabilities in the JBoss open-source application server.
“Operation Wocao (我操, “Wǒ ”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.” reads the report published by Fox-IT.
“In several cases the initial access point into a victim network was a vulnerable webserver, often versions of JBoss. Such vulnerable servers were observed to often already be compromised with
Once the hackers have gained access to these servers, they will deploy web shells for reconnaissance and lateral movements.
In order to move laterally within the target networks, hackers used
Attackers use stolen VPN credentials to securely connect the target network. According to the experts, the threat actor has been able to stay under the radar even using simple tools and techniques for their hacking campaigns.
Fox-IT noticed that the APT20 group was able to abuse VPN accounts that were protected by 2FA, the experts believe that the group devised a specific technique to achieve this goal
They speculated that the APT20 group stole an RSA SecurID software token from a compromised system, then used it on its systems to generate valid one-time codes and bypass 2FA.
“An interesting observation in one of Fox-IT’s incident response cases was that the actor steals a softtoken for RSA SecurID, which is typically generated on a separate device, such as a hardware token or mobile phone.” continues the report. “In this specific case however, victims using the software could also use a software based token to generate 2 factor codes on their laptop. This usage scenario opens up multiple possibilities for an attacker with access to a victim’s la
Anyway, the software token must be generated for a specific system, the threat actors were able to do it by retrieving information once inside the target network.
“As it turns out, the actor does not actually need to go through the trouble of obtaining the victim’s system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated
“In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.“
Further technical details on the Wocao campaign are included in the report published by Fox-IT