Chinese state-sponsored hacker group APT20 has been bypassing two-factor authentication (2FA) in a recent wave of attacks, hacking government entities and managed service providers.
More on the story here: https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/
To attribute the attacks to the named group, we will probably need some supplementary evidence to ascertain who is truly behind these intrusions. Modern-day cybercriminals like to frame each other and using well-known cybercrime “brands” to hinder investigation.
Managed service providers (MSP) are an attractive target and usually have uncontrolled access to the most sensitive data or systems of the world largest financial institutions and organizations. Frequently, MSPs underestimate their own risks and try to save money on data protection and cybersecurity. Cybercriminals are well-aware of such a low-hanging fruit, which can bring a windfall without incurring much risk or spending considerable amount of effort. We should expect a rapid increase of targeted third-party breaches in 2020, aimed to compromised Western organizations and governments.
The allegedly bypassed 2FA has never been a panacea, as it is vulnerable to sophisticated hardware or software weaknesses, as well as to smart social engineering attacks. Continuous security monitoring and anomaly detection remain vital for organizations to detect obscure intrusions in a timely manner. Insecure web applications will remain the weakest link, providing an easy target to get into corporate networks via chained attacks.
Comprehensive web asset inventory, patch management processes and a WAF are the very basic but must-have controls to prevent at least the most widespread attack vectors and exploitation techniques targeting web applications.