Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CISA Warns of Second BeyondTrust Vulnerability Exploited in Attacks

Attackers have been exploiting a second vulnerability in BeyondTrust’s remote management solutions, CISA warns.

BeyondTrust breach vulnerability

The US cybersecurity agency CISA is urging federal agencies to patch a second vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) enterprise solutions, based on evidence of active exploitation.

Tracked as CVE-2024-12686, the flaw is a medium-severity command injection issue that was discovered during BeyondTrust’s investigation into the compromise of a limited number of customer RS SaaS instances, including one associated with the US Department of Treasury.

The attack on the US Treasury was disclosed on December 31 and was attributed to Chinese hackers. The state-sponsored threat actor known as Silk Typhoon was reportedly responsible for the intrusion.

In early December 2024, BeyondTrust discovered that hackers had been using a compromised API key for a remote access service to target several customers, and announced that a critical zero-day vulnerability tracked as CVE-2024-12356 was identified during the investigation.

CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) list on December 19. Last week, CISA said it had no evidence that any other agency except the US Treasury was compromised in the BeyondTrust incident.

On Monday, the cybersecurity agency warned that CVE-2024-12686 – the second BeyondTrust bug identified during the security incident probe – has been exploited in the wild as well, and added it to the KEV catalog.

The security defect “can be exploited by an attacker with existing administrative privileges to upload a malicious file. Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user”, CISA says.

As mandated by Binding Operational Directive (BOD) 22-01, federal agencies have three weeks to identify vulnerable BeyondTrust PRA and RS instances in their environments and to apply the available patches. In this case, the deadline is February 3.

Advertisement. Scroll to continue reading.

While BOD 22-01 only applies to federal agencies, all organizations are advised to review CISA’s KEV list and prioritize patching the vulnerabilities it contains, or consider removing the affected products from their environments if patching is not possible.

US officials told the press in recent days that the Chinese cyberspies targeted several offices of the US Treasury, including ones dealing with foreign investments and sanctions.

Related: CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks

Related: CISA Issues Binding Operational Directive for Improved Cloud Security

Related: Why Custom IOCs Are Necessary for Advanced Threat Hunting and Detection

Related: Insider Threat: Tackling the Complex Challenges of the Enemy Within

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.