The United States Treasury was breached after an API key for remote support software from IAM vendor BeyondTrust was somehow exposed.
A letter from the Treasury (as first reported by CyberScoop) to the Senate Committee on Banking, Housing and Urban Affairs confirms the breach.
It says Treasury officials were told by BeyondTrust on December 8 that “a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support…”
BeyondTrust has not said how the API key was exposed. In a detail-thin post-incident report it reveals that whilst investigating the incident it also discovered a brace of vulnerabilities. The most severe (CVE-2024-12356) is a CVSS 9.8 command injection vulnerability that lets “unauthenticated remote attacker to execute underlying operating system commands…”
See also: US Treasury confirms $9 billion ICBC ransomware impact
It does not specify if this vulnerability (affecting both cloud and on-premises customers) was exploited in the incident. Cloud users have automatically been patched. On-prem customers who do not have automatic updates set up are strongly encouraged to patch up.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” Aditi Hardikar, the Treasury’s assistant secretary for management wrote.
BeyondTrust told reporters that it had first noticed anomalous activity on December 2. This was confirmed on December 5 to be affecting what it said were a “limited” number of remote support SaaS customers.
BeyondTrust’s latest update on the incident was on December 18, when it said that “We continue to pursue all possible paths as part of the forensic analysis, including our work with external forensic parties, to ensure we conduct as thorough an investigation as possible. We also continue to communicate and work closely with all known affected customers and will provide updates here until our investigation is concluded.”
