Advisory Overview
Malicious actors have found a way to bypass 2FA for VPN accounts that were secured with RSA SecurID. RSA considers the scenario to be against recommended deployment practices rather than a security vulnerability. They continued to say that the adversary must have access to a software token XML file and the file must have been created without a password. If you are not sure if your deployment follows best practice, refer to the RSA response listed below in the recommendations section.
Technical detail and additional information
What is the threat?
A malicious actor can bypass 2FA for any VPN logon secured with SecurID after they have acquired a SecurID software token (typically this will be a phone/tablet/laptop running the 2FA token generating application). This allows the malicious actor VPN access to the target system at will.
Why is this noteworthy?
The malicious actors primary modus operandi was to use web servers as an initial point of entry into the target system. In particular, they would target vulnerable servers with versions of JBoss (a common enterprise application platform frequently used in corporate / government networks). After the initial compromise the attacker would attempt to gain per persistence by using a VPN connection but keeping the webshell available as a precaution. If an attacker can bypass 2FA for a VPN at will on a system, then they could access the compromised system whenever they wish.
What is the exposure or risk?
With unrestricted on-demand network access, the attackers could now perform a variety of malicious actions. In particular the actor would move laterally through the network by using tools such as XServer for proxy/tunneling functionality and additional backdoors. Often, they would also acquire and dump valid credentials using applications such as Mimikatz for further lateral movement. The actor was also known to modify the registry, delete files, and more.
What are the recommendations?
- Follow RSA SecurID® Software Token Security Best Practices (https://community.rsa.com/docs/DOC-35128 ) to minimize risks during token provisioning.
- Ensure a proper device management policy is in place to ensure that devices are not lost or stolen and take immediate action if they are.
- Zero Trust or Robust segmentation must be one of the guiding principles of any infrastructure, both for systems and identities. As part of that, leveraging Microsoft’s Enhanced Security Administrative Environment (ESAE) where applicable will greatly increase your resilience and can prevent many attacks from succeeding.
- Implement next gen EDR such as SKOUT Endpoint protection to prevent malware from being executed on users’ devices.
- Ensure that a patch policy is in place with the use of vulnerability scanning to identify vulnerabilities as well as patch them.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/
- https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
- https://community.rsa.com/docs/DOC-109708
If you have any questions, please contact our Security Operations Center.
