Threat Actor: Chinese state-sponsored hacker group | Chinese state-sponsored hacker group
Victim: US Department of the Treasury | US Department of the Treasury
Key Point :
- 8,602 instances of BeyondTrust PRA and RS are still connected to the Internet, with 72% located in the US.
- The vulnerability has a CVSS score of 9.8 and was added to CISA’s Known Exploited Vulnerabilities list shortly after its discovery.
- Self-hosted deployments are at risk due to delayed patching and lack of centralized threat intelligence.
- Organizations can mitigate risks by limiting inbound connectivity to trusted IP addresses, even if patching is not possible.
A remarkable number of BeyondTrust instances remain connected to the Internet, despite dire warnings Chinese state-sponsored threat actors are actively exploiting a critical vulnerability in unpatched systems.
The BeyondTrust bug, tracked under CVE-2024-12356, has an assigned CVSS score of 9.8 and affects Privileged Remote Access (PRA) and Remote Support (RS). It was first reported by BeyondTrust on Dec. 16, 2024. Three days later, the vulnerability was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities list. By the end of the month, a Chinese state-sponsored hacker group had used the flaw to break into the US Department of the Treasury and steal data.
New analysis from Censys has found that despite highly publicized evidence of a widespread advanced persistent threat (APT) campaign against unpatched systems, there are 8,602 instances of BeyondTrust PRA and RS still connected to the Internet, 72% of which are in the US. But Censys added a big caveat to the research — there is no way for them to know whether the exposed instances have been patched or not.
The assumption the research appears to be making is that a sizable portion, if not all, of these systems are unpatched, self-hosted BeyondTrust deployments that have been inadvertently left open to the Internet, and are likely vulnerable, according to experts.
Censys has not responded to a request for clarification.
Self-Hosted BeyondTrust Deployments Likely Behind the Lag
“If this data is correct, it reflects the age-old tradeoff in software service operating philosophies and licensing models,” Bugcrowd CISO Trey Ford says. “Hosted services will have scale economies supporting both detection/response efforts, as well as centralized patching and hardening.”
Ford adds organizations can see a cost savings on licensing with self-hosted software-as-a-service (SaaS) models, but what they miss out on in turn is critical threat intelligence and remediation help.
“Customers own patching, hardening, and building monitoring capabilities — you’re effectively operating on an island by yourself,” Ford explains. “Service providers charge a slight premium to provide the patching, hardening, and monitoring — at scale — where the rising tide of operational efficiency protects all customers.”
BeyondTrust cloud customers were automatically patched Dec. 16, 2024, as soon as the vulnerability was reported. Self-hosted versions of BeyondTrust required a patch, and could have been easily overlooked by overstretched cybersecurity teams.
“Customers using centralized services will see prioritized, and nearly immediate, patch deployment during incident response cycles,” Ford says. “The systems observed online by the Censys report with lagging patch deployment is the delay in patch discovery, testing, and patch deployment.”
Self-hosted deployments that can’t be patched, for whatever reason, can still protect vulnerable BeyondTrust remote tools, according to John Bambenek, cybersecurity expert and president, Bambenek Consulting.
“In situations like this, even if patching cannot be done, organizations can still limit inbound connectivity to these systems to trusted IP addresses only,” he says. “Organizations know who is remotely supporting them, [so] they can easily lock down those IP addresses.”
Source:
https://www.darkreading.com/threat-intelligence/thousands-of-buggy-beyondtrust-systems-still-exposed