The Department of the Treasury was the only federal organisation compromised in the wake of a recent BeyondTrust security incident.
That’s according to CISA which said in a Jan 6 bulletin that it is “working closely with the Treasury Department and BeyondTrust to understand and mitigate the impacts of the recent cybersecurity incident.”
Treasury hack update: CISA says that...
In a December 30 letter to lawmakers, Treasury officials revealed that the state-backed hackers had "gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” adding that “with access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users."
“At this time, there is no indication that any other federal agencies have been impacted by this incident… The security of federal systems and the data they protect is of critical importance to our national security. We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate” CISA said in a terse January 6 update.
See also: DataDog releases a free “firewall”
BeyondTrust earlier said “on December 5, 2024, a root cause analysis into a Remote Support SaaS issue identified an API key for Remote Support SaaS had been compromised. BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers.” It is not yet clear how the API key was exposed.
“A thorough investigation into the cause and impact of the compromise is underway with a recognized third-party cybersecurity and forensics firm. “Our initial investigation has found that no BeyondTrust products outside of Remote Support SaaS are impacted” it earlier said – adding that it had identified two vulnerabilities including a critical command injection bug in its software during the post-incident analysis. It is not yet clear if either of these BeyondTrust vulnerabilities were exploited during the incident.
In a January 6 update (its first since December 18), BeyondTrust told customers: “The forensic investigation into the Remote Support SaaS incident is approaching completion. All SaaS instances of BeyondTrust Remote Support have been fully patched against the vulnerabilities mentioned in our previous security advisories. A patch has also been pushed for self-hosted instances. No new customers have been identified beyond those we have communicated with previously,” it added.
The Stack will share our analysis of the post-mortem when it lands.
