AnsweredAssumed Answered

Chinese hacker group caught bypassing 2FA

Question asked by Gordon Mathias on Dec 24, 2019
Latest reply on Jan 8, 2020 by Erica Chalfin

Like • Show 1 Like1
Comment • 2

Hello,

I've been going through the recent news articles that are making its round on the internet regarding bypass of 2FA using the RSA SecurID tokens. Articles below:-

https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf

Chinese hacker group caught bypassing 2FA | ZDNet

Questions:

1. Has RSA addressed these articles yet?

2. The report doesn't clearly state this but the thesis seems to imply that the STDID file based import is what is being exploited. I wanted to understand if the CT-KIP based distribution would also have the same impact?

Thank You,

Gordon

Erica Chalfin

Jan 8, 2020 5:32 PM

Correct Answer

Gordon Mathias,

Please review Important Statement from RSA Regarding RSA SecurID Software Token Provisioning Best Practices for the response from RSA regarding this report.

Regards,

Erica

See the reply in context

No one else had this question

Outcomes

David Pala Dec 26, 2019 4:40 AM

Hi Gordon,

Just took a read at both articles, and, from my understanding, the issue described resides in the fact the the attacker edited the Software Token source code to be able to import the SecurID Token Seed without getting the error message "Device intended for this token was not found...".

What does that mean ?
    The attacker already had the SecurID Token Seed file in its possession
What about CT-KIP Software Token delivery ?
    The CT-KIP distribution can be configured on the number of valid days before the Activation Code expires
    I think it could be great that RSA developers add an option that would be the number of times you can use that Activation Code, so we could set it to just "1"
    >> For the CT-KIP Software Token delivery, you should ONLY allow this being done from within your corporate networks, so that could avoid bypassing this when trying to connect from outside your corporate networks

CT-KIP Activation Code expiration configuration :

Let's see what other folks would say regarding your questions

Kind Regards,

David

Actions