Summary: The U.S. Treasury Department experienced a significant cybersecurity breach attributed to suspected Chinese threat actors, enabling remote access to unclassified documents. This incident highlights vulnerabilities in third-party software services and the ongoing threat posed by state-sponsored actors.
Threat Actor: Chinese APT | Chinese APT
Victim: U.S. Treasury Department | U.S. Treasury Department
Key Point :
- Access was gained through a compromised API key from BeyondTrust, a third-party service provider.
- The breach allowed the threat actor to remotely access user workstations and unclassified documents.
- BeyondTrust identified security flaws in its products, with one vulnerability having a CVSS score of 9.8.
- The U.S. Treasury is collaborating with CISA and the FBI to investigate the incident.
- BeyondTrust has taken measures to secure its services and notified affected customers.
The United States Treasury Department said it suffered a “major cybersecurity incident” that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
“On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the department said in a letter informing the Senate Committee on Banking, Housing, and Urban Affairs.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
The federal agency said it has been working with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), and that available evidence points to it being the work of an unnamed state-sponsored Advanced Persistent Threat (APT) actor from China.
The Treasury Department further said that it has taken the BeyondTrust service offline, adding there is no evidence that the threat actors have access to the environment.
Earlier this month, BeyondTrust revealed that it was the victim of a digital intrusion that allowed bad actors to breach some of its Remote Support SaaS instances.
The company said its investigation into the incident found that the attackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts. BeyondTrust has yet to reveal how the key was obtained.
“BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers,” it said.
The probe has also uncovered two security flaws in Privileged Remote Access (PRA) and Remote Support (RS) products (CVE-2024-12356, CVSS score: 9.8 and CVE-2024-12686, CVSS score: 6.6), the former of which has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The disclosure comes as several U.S. telecommunication providers have found themselves in the crosshairs of another Chinese state-sponsored threat actor named Salt Typhoon.
Source: https://thehackernews.com/2024/12/chinese-apt-exploits-beyondtrust-api.html