BeyondTrust has disclosed a recent security incident involving a breach of 17 Remote Support SaaS customers. This breach occurred after a hacker exploited a compromised API key. The attack began on December 5, 2024, when a zero-day vulnerability in a third-party application allowed unauthorized access to a BeyondTrust AWS account.
How the Breach Happened
The attackers first used the third-party vulnerability to access an online asset within BeyondTrust’s AWS environment. They then obtained an infrastructure API key, which they used to breach a different AWS account hosting Remote Support infrastructure. This allowed the attackers to reset application passwords, granting them unauthorized access to customer data.
Vulnerabilities and Active Exploitation
BeyondTrust identified two vulnerabilities within its own products—CVE-2024-12356 and CVE-2024-12686. Both have been actively exploited in the wild, leading the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add them to its Known Exploited Vulnerabilities (KEV) catalog. BeyondTrust has since revoked the compromised API key and suspended the affected instances.
Impact on U.S. Government and Other Customers
The U.S. Treasury Department was one of the affected organizations. However, no other federal agencies have been reported as impacted. The attack is attributed to Silk Typhoon, a China-based hacking group. The U.S. government imposed sanctions on Yin Kecheng, a Shanghai-based actor allegedly involved in the breach of the Treasury Department’s network.
Next Steps and Mitigation
BeyondTrust has provided affected customers with alternative Remote Support SaaS instances. The company is working closely with law enforcement and affected organizations to secure its systems and prevent further incidents.
Customers should stay alert and monitor communications from BeyondTrust and CISA for updates on patches and further developments.
