The US cybersecurity agency CISA on Monday said that no other federal agency beyond the Department of the Treasury was impacted by the recent ‘major cybersecurity incident’ involving a BeyondTrust cloud-based service.
Disclosed on December 31, the attack resulted in Chinese state-sponsored hackers accessing Treasury workstations and unclassified documents using a compromised API key for a remote management service from BeyondTrust.
The Treasury did not share details on the scope of the incident and CISA on Monday said the two agencies are still working on understanding and mitigating the impacts of the attack.
“At this time, there is no indication that any other federal agencies have been impacted by this incident. CISA continues to monitor the situation and coordinate with relevant federal authorities to ensure a comprehensive response,” CISA said.
“The security of federal systems and the data they protect is of critical importance to our national security. We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate,” the agency continued.
While it did not share details on which BeyondTrust service might have been exploited in the attack, the Treasury said it learned of the exposed API key on December 8, the same day that BeyondTrust disclosed publicly that a key for its Remote Support SaaS had been compromised and that a limited number of customers was affected.
A week later, BeyondTrust disclosed CVE-2024-12356 (CVSS score of 9.8), a critical-severity unauthenticated command injection vulnerability identified during the investigation into the incident and impacting Privileged Remote Access (PRA) and Remote Support (RS) versions 24.3.1 and earlier.
Two days later, CISA added the security defect to its Known Exploited Vulnerabilities (KEV) catalog, while BeyondTrust rolled out patches for another command injection bug identified during the investigation, CVE-2024-12686 (CVSS score of 6.6).
On Monday, the company announced it has completed the patch roll-out and that its investigation into the incident is almost complete.
“All SaaS instances of BeyondTrust Remote Support have been fully patched against the vulnerabilities mentioned in our previous security advisories. A patch has also been pushed for self-hosted instances. No new customers have been identified beyond those we have communicated with previously,” BeyondTrust said.
BeyondTrust has not shared any information on the number of potentially impacted customers, other than saying that only “a limited number of impacted instances of Remote Support SaaS were identified”.
According to attack surface management firm Censys, there are more than 13,500 BeyondTrust PRA and RS instances accessible from the internet, and thousands of these are in the US. However, it is unclear how many of them may still be vulnerable.
Related: China Protests US Sanctions for Its Alleged Role in Hacking, Complains of Foreign Hacker Attacks
Related: US Sanctions Chinese Firm Linked to Flax Typhoon Attacks on Critical Infrastructure
Related: In Other News: Volkswagen Data Leak, DoubleClickjacking, China Denies Hacking US Treasury
Related: CISA Releases Mobile Security Guidance After Chinese Telecom Hacking
