On December 19, the cyber security firm Fox-IT, which is headquartered in the Netherlands, reported that they discovered a previously-unknown infiltration of managed service provider and government computer systems in at least 10 countries, including the United States, Mexico, Brazil, the United Kingdom, France, Germany, Italy, Portugal and Spain. These systems covered a wide range of industries, including aviation, construction, energy, finance, gambling, healthcare, insurance, offshore engineering, payroll and HR services, physical lock manufacturing, software development and transportation. Fox-IT believes a Chinese government-funded hacking group managed to bypass two-factor authentication (2FA) to initially access and then spread through these systems.
What Is 2FA?
Two-factor authentication was designed to make it more difficult for hackers to access secure, private data. It requires that a user provide two unique forms of information to prove identification when logging into accounts. For example, a system might recognize a user by their physical hardware, via a unique linked code, coupled with a separate unique password. The user might input a memorized password or a one-time password generated by a separate piece of hardware called a token or password generator. In banking, 2FA occurs when a card holder uses their physical card with their unique PIN number at an ATM or during debit transactions. In point-of-sale software payment processing, a merchant or an employee uses 2FA when they sign into their point-of-sale software on a computer, a unique device, with a unique password.
Which Group Is Responsible?
Although many hacking groups supported by the Chinese government exist, Fox-IT has linked this event to a Beijing-based group called APT20. Security firms believe this group started in 2011. Since the Chinese government invests a lot of time and money into hiding their hacking groups, APT 2020 was able to keep a low profile during 2016 and 2017. Firms couldn’t track them until they slipped up in 2018. Fox-IT referred to the 2FA bypass as “Operation Wocao” after a member of APT20 used the Chinese curse word “wocao” in a final line of Windows command failure code when they realized that their actions had been detected and they couldn’t hack a system. The word aptly described both the frustration and shock felt by not only the hacker, but also Fox-IT techs who realized that the system and others had been hacked in such a rare fashion.
How Did They Do It?
This specific group typically uses the most basic hacking tools combined with the software already present on their victims’ systems. Two-factor authentication is incredibly difficulty to bypass since it uses unique forms of identification. Fox-IT has stated that APT20 found a way, currently unknown, to compromise the 2FA for virtual private networks possibly via vulnerabilities in the the corporate and government enterprise application platform known as JBoss. Essentially, they found a way to bypass the credentials necessary to access their victim’s VPN accounts and the computer systems attached to those networks. APT20 then focused their efforts on locating and hacking additional linked systems that held the credentials necessary for them to find and retrieve additional private data. The attack was designed to help them find higher and higher levels of authentication to access higher and higher levels of information. For example, they targeted password managers/vaults and then used the passwords they found to continue their data search and retrieval. Once they were finished, they did everything possible to delete all footprints of their actions to prevent detection.
What About Payment Processing?
APT20’s rare bypass of 2FA shows that hackers might be able to access any system in a similar fashion, including networked computers owned by merchants using point-of-sale software and/or customer databases. A hacking group could potentially mine merchant systems for customer names, credit card numbers, expiration dates and secure CVV codes. If the system also has a customer database, hackers could also retrieve private details, such as customers home addresses and product likes and dislikes. Hackers might use this data to learn more about specific individuals, such as politicians or military leaders, or create false identities.
We recommend that all merchants focus on improving not only their computer and network safety, but also their employee-based vulnerabilities. It’s important to train employees to recognize the many techniques used by hackers and how their actions can help these bad government-funded actors gain access. Merchants can also protect their systems by blocking employees from checking private email or downloading software on these systems.
Our team at Host Merchant Services goes beyond securing our own payment processing systems against these types of attacks: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.