BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the company’s Remote Support SaaS instances by making use of a compromised API key.
The company said the breach involved 17 Remote Support SaaS customers and that the API key was used to enable unauthorized access by resetting local application passwords. The breach was first flagged on December 5, 2024.
“The investigation determined that a zero-day vulnerability of a third-party application was used to gain access to an online asset in a BeyondTrust AWS account,” the company said this week.
“Access to that asset then allowed the threat actor to obtain an infrastructure API key that could then be leveraged against a separate AWS account which operated Remote Support infrastructure.”
The American access management company did not name the application that was explored to obtain the API key, but said the probe uncovered two separate flaws in its own products (CVE-2024-12356 and CVE-2024-12686).
BeyondTrust has since revoked the compromised API key and suspended all known affected customer instances, while also providing them with alternative Remote Support SaaS instances.
It’s worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2024-12356 and CVE-2024-12686 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The exact details of the malicious activity are presently not known.
The development comes as the U.S. Treasury Department said it was one of the affected parties. No other federal agencies are assessed to have been impacted.
The attacks have been attributed to a China-linked hacking group dubbed Silk Typhoon (formerly Hafnium), with the agency imposing sanctions against a Shanghai-based cyber actor named Yin Kecheng for his alleged involvement in the breach of the Treasury’s Departmental Offices network.
