BeyondTrust has disclosed a major cybersecurity incident involving a zero-day vulnerability that compromised its Remote Support SaaS instances, affecting 17 customers. The breach, first detected on December 5, 2024, was traced back to a compromised API key that enabled unauthorized access by resetting local application passwords.
How the BeyondTrust Breach Happened
According to the company, the attackers exploited a zero-day vulnerability in a third-party application to infiltrate an online asset within a BeyondTrust AWS account. This access allowed the threat actor to steal an infrastructure API key, which was then leveraged against a separate AWS account that housed the Remote Support infrastructure.
Although BeyondTrust has not disclosed the specific third-party application exploited, its internal investigation revealed two vulnerabilities within its own products, now tracked as:
Immediate Actions Taken by BeyondTrust
To mitigate the attack, BeyondTrust has:
✅ Revoked the compromised API key.
✅ Suspended all affected Remote Support SaaS instances.
✅ Provided impacted customers with alternative SaaS instances.
Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-12356 and CVE-2024-12686 to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild. However, detailed insights into the malicious activities remain undisclosed.
Who Was Impacted?
The U.S. Treasury Department has confirmed it was among the affected entities, but no other federal agencies have been reported as compromised.
Who’s Behind the Attack?
The breach has been attributed to Silk Typhoon (formerly Hafnium), a China-linked cyber espionage group. In response, the U.S. government has imposed sanctions on Yin Kecheng, a Shanghai-based cyber actor allegedly involved in infiltrating the Treasury Department’s network.
Final Thoughts
This breach underscores the growing threat of zero-day vulnerabilities and API key exploitation in cloud-based environments. Organizations must prioritize proactive threat intelligence, robust API security measures, and timely patching to safeguard against such highly sophisticated cyberattacks.
