2024-12-31
State-Sponsored Threat Actors Used Compromised BeyondTrust Key to Access US Treasury Workstations
The US Department of the Treasury informed legislators that 'on December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.' The BeyondTrust incident was reported in December (covered in NB 26.97 on December 20, 2024). While BeyondTrust revoked the compromised key upon learning of the incident, 'potentially anomalous behavior' was detected several days before. Current analysis attributes the attack to a state-sponsored threat actor with ties to China.
Editor's Note
Another example of a supply chain attack as we end one year and start a new one. Seems like every software vendor is now offering a SaaS solution as part of the product roadmap. Organizations must now plan and measure third parties as part of their cybersecurity program. A good starting point is CIS Critical Security Control 15, Service Provider Management, that includes seven safeguards to ensure providers are protecting those platforms and data appropriately. https://www.cisecurity.org/controls/service-provider-management
Curtis Dukes
BeyondTrust identified CVE-2024-12356, CVSS score 9.8, and CVE-2024-12686, CVSS score 6.6, command injection vulnerabilities, in their cloud and self-hosted services. The cloud services have been patched. If you're self-hosting, BeyondTrustPrivileged Remote Access (PRA) and/or Remote Support (RS), you need to update to versions newer than 24.3.1. Take this as an example to consider when using cloud/outsourced services for remote access to endpoints. Make sure you have visibility to those accesses, are able to shut down unauthorized attempts, have secured the RS API, and fully understand how that access is managed/secured.
Lee Neely
It's unclear in many of these articles which cloud or key was used. Interestingly, the IOCs in the 'known IOC' list are all DigitalOcean IP addresses. This particular intrusion is interesting, and I'm waiting for more details about what happened. Is BeyondTrust at fault, or was there a lapse in security, etc.? We will have to wait for more information.
Moses Frost
Private cryptographic keys should be stored only in hardware security Modules (HSMs) that permit their use but cannot disclose them.
William Hugh Murray
Read more in
Nextgov: Chinese-sponsored hackers accessed Treasury documents in 'major incident'
Wired: US Treasury Department Admits It Got Hacked by China
The Record: Beijing-linked hackers penetrated Treasury systems
The Register: US Treasury Department outs the blast radius of BeyondTrust's key leak
Security Week: Chinese Hackers Accessed US Treasury Workstations in 'Major' Cybersecurity Incident
SC World: US Treasury hacked by state-sponsored Chinese APT group
Dark Reading: Chinese State Hackers Breach US Treasury Department
BeyondTrust: BeyondTrust Remote Support SaaS Service Security Investigation (December 8, updated December 18)