The Ultimate Guide to Non-Human Identities Report Now Available

BeyondTrust Breach Causes Major Incident At US Treasury

NHI Mgmt Group

Overview

On December 2, 2024, BeyondTrust, a leading cybersecurity solutions provider specializing in Privileged Access Management (PAM) and Secure Remote Access, identified anomalous activities affecting certain customer instances of its Remote Support Software-as-a-Service (SaaS) platform. Following an in-depth investigation, it was revealed that a compromised API key had been exploited, leading to unauthorized access and the potential for escalated attacks on affected customer environments.

On December 30, 2024 there was breaking news that US Treasury announced a "major incident" and that it's systems were hacked as a result of this breach, with employee workstations getting accessed and some unclassified documents.

What Happened?

BeyondTrust detected anomalous activity within its network, specifically targeting a subset of Remote Support SaaS instances. A thorough investigation revealed that threat actors had compromised an API key associated with the Remote Support SaaS, enabling them to reset passwords for local application accounts. This breach was confirmed on December 5, 2024, prompting BeyondTrust to revoke the compromised API key, notify affected customers, and suspend the impacted instances.

How It Happened?

Compromised API Key

  • Access and Exploitation: Attackers obtained an API key for BeyondTrust's Remote Support SaaS, which granted them the capability to reset passwords for local application accounts. The exact method by which the API key was compromised remains undisclosed.

Vulnerabilities Identified

CVE-2024-12356:

  • Description: A critical command injection vulnerability in BeyondTrust's Remote Support (RS) and Privileged Remote Access (PRA) products. This flaw allows unauthenticated, remote attackers to execute operating system commands within the context of the site user.

  • Severity: Rated with a CVSS score of 9.8 (Critical).

  • Discovery and Patch: Identified on December 16, 2024, and promptly patched by BeyondTrust.

CVE-2024-12686:

  • Description: A medium-severity vulnerability in the same products, permitting attackers with administrative privileges to inject commands and upload malicious files.

  • Severity: CVSS score of 6.6 (Medium).

  • Discovery and Patch: Discovered on December 18, 2024, and addressed with security updates.

BeyondTrust's Response

Immediate Actions

  • Revoked the compromised API key.

  • Notified affected customers and suspended compromised instances.

  • Provided alternative Remote Support SaaS instances to ensure continuity of service.

Vulnerability Mitigation

  • Patched identified vulnerabilities (CVE-2024-12356 and CVE-2024-12686) across all cloud instances.

  • Released security updates for self-hosted instances, advising customers to apply patches promptly.

Ongoing Measures

  • Engaged third-party cybersecurity firms to conduct a comprehensive investigation.

  • Committed to providing regular updates as the investigation progresses.

Potential Impact

Operational Disruption

  • BeyondTrust suspended the affected SaaS instances to contain the breach. This action likely disrupted services for impacted customers, causing inconvenience and potential operational delays.

Reputational Damage

  • As a trusted provider of PAM security solutions, BeyondTrust’s reputation suffered, raising concerns about its ability to safeguard its own systems and those of its clients.

  • Given the US Treasury suffered a major incident, this will have clear ramifications from US regulators.

Lessons Learned

API Key Management

  • Enforce strict controls over API key generation, storage, and usage.

  • Regularly rotate keys and monitor for unauthorized usage patterns.

Zero Standing Privileges (Ephemeral Secrets)

  • Move away from static secrets to JIT secrets

  • Transition to a Zero Trust model

Strengthen Input Validation

  • Implement robust input sanitization and validation mechanisms to prevent injection attacks.

  • Conduct regular code reviews and dynamic application security testing (DAST).

Privileged Access Controls

  • Limit privilege levels and segment critical operations to reduce the radius of potential breaches.

  • Implement multi-factor authentication (MFA) for sensitive account actions.

Vulnerability Management

  • Conduct frequent vulnerability scans and penetration testing.

  • Maintain a bug bounty program to encourage responsible vulnerability disclosure.

Incident Response Readiness

  • Develop and periodically test incident response plans to ensure swift containment and recovery during breaches.

Conclusion

The compromised API key became the keystone for this breach, illustrating the cascading effects of weak API security practices. API vulnerabilities often serve as the gateway to large-scale breaches because they are designed to facilitate seamless communication between systems.

In this case, the attackers leveraged a single compromised API key to execute privileged actions, including password resets and unauthorized access to sensitive customer data. Organizations should take this as a wake-up call to review their own security practices, particularly those involving sensitive credential management, least privilege enforcement, and vulnerability mitigation.

NHI breaches are now becoming a regular occurrence - view our post with the most comprehensive view ever shared, covering over 40 breaches that have occurred in the last few years.

This should be a wake-up call to all organisations, that they are sitting on a a huge exposure around Non-Human Identities. NHIs are the primary attack vector used by External / Internal Threat Actors to compromise systems and steal data. With the adoption of Cloud and SaaS services, this has created a huge Secrets Sprawl problem, leaving organisations further exposed to 3rd Party Supply Chain Attacks.

Are you concerned about NHI Risks within your organisation ?

Our NHI Mgmt Group is the market leading research and advisory firm in the Non-Human Identity space. We provide independent guidance and advice for clients looking to manage the risks around Non-Human Identities

  • Our team has been advising, establishing and managing global regulatory IAM / NHI programs for over 25 years at major financial institutions.

  • We have the most comprehensive Knowledge Centre on NHIs including foundational Articles on NHIs, Industry White-Papers, Major Breaches, Research Reports, Blogs, Educational Videos, Industry Surveys, Newsletters as well as details of Products that support the risk management of NHIs.

  • Our NHI Mgmt Group was founded by an IAM Industry Veteran, who has managed global regulatory NHI programs, author of major White-Papers and Research articles on NHIs, established the thriving NHI LinkedIn Community Group and recognised as the #1 NHI Evangelist / Voice in the industry.

Contact us if you would like to get some independent guidance and advice on how to start tackling Non-Human Identity Risks.

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is the #1 Authority for research and education on Non-Human Identity risks. We provide Independent guidance and expert advice to organizations, helping them understand, manage and secure these huge risks effectively.

Subscribe to our Newsletter

Subscribe

© 2024