CISA says Treasury was the only US agency breached via BeyondTrust
The US Cybersecurity and Infrastructure Security Agency (CISA) has shared on Monday that the Treasury Department was the only US federal agency affected by the recent cybersecurity incident involving compromised BeyondTrust Remote Support SaaS instances.
On the same day, BeyondTrust offered an update on the situation: The forensic investigation into the incident is approaching completion, the company said, and noted that no additional affected customers have been identified since the initial cluster of affected instances was discovered and those customers notified.
What the investigation revealed
In early December 2024, BeyondTrust identified anomalous behavior on “a limited number” of customer instances of Remote Support SaaS and discovered the compromise of an API key for a compromised instance that “allowed for password resets of local application accounts.”
The key was revoked, the instances suspended and quarantined, the impacted customers informed.
The investigation into the incident subsequently revealed two separate vulnerabilites affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products, one of which has been exploited in the attack.
On December 30, the New York Times reported on a letter sent by the Treasury Department to US lawmakers, confirming that the attack resulted in the compromise of workstations of several government employees and some unclassified documents, and attributing the attack to “a China state-sponsored Advanced Persistent Threat (APT) actor.”
More specifically, the attackers managed to compromise workstations in the department’s Office of Financial Research and the Office of Foreign Assets Control, which administers and enforces economic and trade sanctions.
The Chinese foreign ministry has disputed the claim.
Last week, the Treasury Department sanctioned Beijing-based cybersecurity firm Integrity Technology Group for aiding computer intrusion incidents against US victims mounted by the Flax Typhoon APT group.
“CISA continues to monitor the situation and coordinate with relevant federal authorities to ensure a comprehensive response,” the agency said on Monday. “We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate.”
Censys currently “sees” 13,548 exposed BeyondTrust Remote Support and Privileged Remote Access instances online, though it’s impossible to tell whether they are vulnerable to exploitation via the actively exploited command injection vulnerability (CVE-2024-12356).
“All SaaS instances of BeyondTrust Remote Support have been fully patched against the vulnerabilities mentioned in our previous security advisories. A patch has also been pushed for self-hosted instances,” BeyondTrust said. But organizations whose instances are not subscribed to automatic updates are required to implement the patch themselves.