The U.S. Treasury Department has confirmed a major cybersecurity breach, revealing that suspected Chinese APT actors exploited a compromised BeyondTrust API key to gain unauthorized access to sensitive government systems and unclassified documents.
On December 8, 2024, the Treasury Department received notification from BeyondTrust, a third-party software provider, about a cyberattack that allowed an attacker to access a key responsible for securing a cloud-based service used for remote technical support to Treasury Departmental Offices (DO) users. The attacker leveraged the compromised key to bypass security measures and gain remote access to Treasury workstations and sensitive documents maintained by certain users.
Working closely with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the Treasury Department’s investigation points to a state-sponsored APT actor from China as the likely perpetrator of the attack.
In response, the Treasury Department took the BeyondTrust service offline, confirming there is no evidence suggesting continued access by the attackers.
Earlier this month, BeyondTrust revealed it had been compromised by a digital intrusion, where attackers exploited a vulnerability to breach its Remote Support SaaS platform. The attackers gained access to a critical API key, allowing them to reset passwords for local application accounts. However, BeyondTrust has yet to disclose how the key was obtained.
Following the breach, BeyondTrust immediately revoked the API key, notified affected customers, and suspended vulnerable instances while offering secure alternatives. The investigation also uncovered two high-risk vulnerabilities in BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products, identified as CVE-2024-12356 (CVSS score 9.8) and CVE-2024-12686 (CVSS score 6.6). Notably, CVE-2024-12356 has been added to the CISA’s Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild.
This incident follows a series of cyberattacks attributed to Salt Typhoon, another Chinese state-sponsored threat actor targeting multiple U.S. telecommunications providers.
Key Takeaways:
- Chinese APT actors exploit a BeyondTrust API key to breach U.S. Treasury systems.
- The cyberattack allowed remote access to sensitive Treasury documents.
- BeyondTrust investigates the breach and uncovers vulnerabilities in its remote support products.
- CISA includes newly discovered vulnerabilities in its Known Exploited Vulnerabilities catalog.
- Similar state-sponsored cyberattacks have targeted U.S. telecommunications providers.
This attack highlights the increasing sophistication of state-sponsored cyber threats and the ongoing vulnerabilities in remote support services. The Treasury’s response and collaboration with CISA and the FBI underline the importance of a coordinated approach to cybersecurity defense and incident response.