Cyber security researchers at Dutch firm Fox-IT has found evidence showing a Chinese government sponsored hacking group APT20 has been bypassing two-factor authentication (2FA) in a recent wave of attacks against government entities and managed service providers.
According to researchers, the hackers used web servers as the initial point of entry into a target’s systems, with a particular focus on JBoss, an enterprise application platform often found in large corporate and government networks.
APT20 used vulnerabilities to gain access to these servers, install web shells, and then spread laterally through a victim’s internal systems.
While on the inside, Fox-IT said the group dumped passwords and looked for administrator accounts, in order to maximize their access. A primary concern was obtaining VPN credentials, so hackers could escalate access to more secure areas of a victim’s infrastructure, or use the VPN accounts as more stable backdoors.