Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

CISA: No Federal Agency Beyond Treasury Impacted by BeyondTrust Incident

CISA says no federal agencies other than Treasury were impacted by the recent compromise of a BeyondTrust cloud-based service.

BeyondTrust breach vulnerability

The US cybersecurity agency CISA on Monday said that no other federal agency beyond the Department of the Treasury was impacted by the recent ‘major cybersecurity incident’ involving a BeyondTrust cloud-based service.

Disclosed on December 31, the attack resulted in Chinese state-sponsored hackers accessing Treasury workstations and unclassified documents using a compromised API key for a remote management service from BeyondTrust.

The Treasury did not share details on the scope of the incident and CISA on Monday said the two agencies are still working on understanding and mitigating the impacts of the attack.

“At this time, there is no indication that any other federal agencies have been impacted by this incident. CISA continues to monitor the situation and coordinate with relevant federal authorities to ensure a comprehensive response,” CISA said.

“The security of federal systems and the data they protect is of critical importance to our national security. We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate,” the agency continued.

While it did not share details on which BeyondTrust service might have been exploited in the attack, the Treasury said it learned of the exposed API key on December 8, the same day that BeyondTrust disclosed publicly that a key for its Remote Support SaaS had been compromised and that a limited number of customers was affected.

A week later, BeyondTrust disclosed CVE-2024-12356 (CVSS score of 9.8), a critical-severity unauthenticated command injection vulnerability identified during the investigation into the incident and impacting Privileged Remote Access (PRA) and Remote Support (RS) versions 24.3.1 and earlier.

Two days later, CISA added the security defect to its Known Exploited Vulnerabilities (KEV) catalog, while BeyondTrust rolled out patches for another command injection bug identified during the investigation, CVE-2024-12686 (CVSS score of 6.6).

Advertisement. Scroll to continue reading.

On Monday, the company announced it has completed the patch roll-out and that its investigation into the incident is almost complete.

“All SaaS instances of BeyondTrust Remote Support have been fully patched against the vulnerabilities mentioned in our previous security advisories. A patch has also been pushed for self-hosted instances. No new customers have been identified beyond those we have communicated with previously,” BeyondTrust said.

BeyondTrust has not shared any information on the number of potentially impacted customers, other than saying that only “a limited number of impacted instances of Remote Support SaaS were identified”.

According to attack surface management firm Censys, there are more than 13,500 BeyondTrust PRA and RS instances accessible from the internet, and thousands of these are in the US. However, it is unclear how many of them may still be vulnerable.

Related: China Protests US Sanctions for Its Alleged Role in Hacking, Complains of Foreign Hacker Attacks

Related: US Sanctions Chinese Firm Linked to Flax Typhoon Attacks on Critical Infrastructure

Related: In Other News: Volkswagen Data Leak, DoubleClickjacking, China Denies Hacking US Treasury

Related: CISA Releases Mobile Security Guidance After Chinese Telecom Hacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.