The U.S. Treasury Department announced a significant cybersecurity breach attributed to suspected Chinese threat actors, affecting the department’s systems and unclassified documents. The incident was caused by the exploitation of an API key from a third-party service provider, BeyondTrust.

Incident Overview

On December 8, 2024, BeyondTrust, a software services company, alerted the Treasury about unauthorized access via a compromised API key. - This key allowed the attackers to bypass security protocols and access certain department workstations and documents remotely. - The breach is believed to be the work of a state-sponsored Advanced Persistent Threat (APT) group from China, though the specific group remains unnamed.

Response and Mitigation

The Treasury Department has collaborated with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to investigate the incident. - BeyondTrust responded by taking its affected Remote Support service offline and issuing an alternative solution. The compromised API key was revoked immediately, and they are working on mitigation strategies.

BeyondTrust Investigation and Findings

BeyondTrust discovered unauthorized access to their Remote Support Software as a Service (SaaS) instances via an API key. This access allowed for local application account password resets. The company unveiled two security vulnerabilities in its products

Privileged Remote Access (PRA) and Remote Support (RS)—identified as CVE-2024-12356 (CVSS score: 9.8) and CVE-2024-12686 (CVSS score: 6.6).

The more critical flaw, CVE-2024-12356, has been added to CISA's Known Exploited Vulnerabilities catalog due to confirmed active exploitation.

Wider Implications

This cybersecurity event aligns with recent intrusions targeting U.S. telecommunication companies by another Chinese state-sponsored group known as Salt Typhoon, highlighting a trend in state-sponsored cyber threats against U.S. entities.

The link has been copied!