Fox-IT, a Dutch security company, reported that the Chinese hacker group APT20 was found to be able to bypass two-step verification in a recent attack. The organization’s main targets are government agencies and managed service providers. Security researchers said that hackers used the web server as the initial entry point into the target system, with a particular focus on JBoss, an enterprise application platform commonly used by large enterprises and government agencies.
APT20 uses the vulnerability to access these web servers, install web shells, and then gradually penetrates into the system. The hacker will then look for the administrator account and the VPN account used to access the internal network from the external network.
Security researchers have found that hackers can bypass the two-step authentication used by VPN accounts, and they speculated that the hackers might have stolen the RSA SecurID software token and used it to generate valid one-time code.