BeyondTrust Breach Exposes SaaS Customers via Compromised API Key
2025-02-02
Learn about the critical need for robust API security and the potential vulnerabilities in Remote Support SaaS solutions.
BeyondTrust experienced a cybersecurity breach affecting 17 Remote Support SaaS customers due to a compromised API key, which was exploited through a zero-day vulnerability in a third-party application. This allowed unauthorized access by resetting local application passwords. The breach was first detected in December 2024. Although the compromised API key has been revoked and affected customer instances suspended, the U.S. Treasury Department was among those impacted. The attack has been linked to the China-affiliated hacking group Silk Typhoon. BeyondTrust identified two separate vulnerabilities in its products, which have been added to CISA's Known Exploited Vulnerabilities catalog.
Zero-Day, API Vulnerability, Third-Party Vendor/SaaS, Weak or Compromised Credentials
BeyondTrust, API Key Breach, Zero-Day Vulnerability, Silk Typhoon, Remote Support SaaS
CVE-2024-12356; CVE-2024-12686
BeyondTrust Remote Support SaaS, AWS, U.S. Treasury Department
In a recent cybersecurity incident, BeyondTrust, a prominent access management company, faced a breach affecting 17 of its Remote Support SaaS customers. This breach resulted from a compromised API key, which allowed unauthorized access to reset local application passwords. The breach was first identified on December 5, 2024. It involved exploiting a zero-day vulnerability in a third-party application. This vulnerability enabled attackers to access an online asset within a BeyondTrust AWS account. Once accessed, the attackers obtained an infrastructure API key, which they then used to compromise a separate AWS account managing Remote Support infrastructure. The compromised API key was quickly revoked by BeyondTrust, and all affected customer instances were suspended. Customers were provided with alternative Remote Support SaaS instances to mitigate the impact. BeyondTrust's investigation uncovered two vulnerabilities in its products, identified as CVE-2024-12356 and CVE-2024-12686. These vulnerabilities have been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog due to evidence of active exploitation. Among the affected parties was the U.S. Treasury Department. However, no other federal agencies were reported to be impacted. The attack has been linked to a China-affiliated hacking group known as Silk Typhoon, previously referred to as Hafnium. Consequently, the U.S. Treasury Department imposed sanctions against a Shanghai-based cyber actor, Yin Kecheng, for his alleged involvement in the breach.BeyondTrust API Key Breach: What Happened?
How the Breach Occurred
Impact and Response
Affected Parties
https://thehackernews.com/2025/02/beyondtrust-zero-day-breach-exposes-17.html?m=1