BeyondTrust says hackers breached Remote Support SaaS instances
Story updated with statement from BeyondTrust.
Privileged access management company BeyondTrust suffered a cyberattack in early December after threat actors breached some of its Remote Support SaaS instances.
BeyondTrust is a cybersecurity company specializing in Privileged Access Management (PAM) and secure remote access solutions. Their products are used by government agencies, tech firms, retail and e-commerce entities, healthcare organizations, energy and utility service providers, and the banking sector.
The company says that on December 2nd, 2024, it detected “anomalous behavior” on its network. An initial investigation confirmed that threat actors compromised some of its Remote Support SaaS instances.
After further investigation, it was discovered that hackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts.
“BeyondTrust identified a security incident that involved a limited number of Remote Support SaaS customers,” reads the announcement.
“On December 5th, 2024, a root cause analysis into a Remote Support SaaS issue identified an API key for Remote Support SaaS had been compromised.”
“BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers.”
It is unclear if the threat actors were able to use the compromised Remote Support SaaS instances to breach downstream customers.
Critical vulnerability discovered
As part of the company’s investigation into the attack, it discovered two vulnerabilities, one on December 16th and the other on the 18th.
The first one, tracked as CVE-2024-12356, is a critical command injection flaw impacting the Remote Support (RS) and Privileged Remote Access (PRA) products.
“Successful exploitation of this vulnerability can allow an unauthenticated, remote attacker to execute underlying operating system commands within the context of the site user,” reads the description of the flaw.
The second issue, tracked as CVE-2024-12686, is a medium-severity vulnerability on the same products, allowing attackers with admin privileges to inject commands and upload malicious files on the target.
Although not explicitly mentioned, it’s possible that the hackers leveraged the two flaws as zero days to gain access to BeyondTrust systems or as part of their attack chain to reach customers.
However, BeyondTrust has not marked the flaws as actively exploited in either advisory.
BeyondTrust says they automatically applied patches for the two flaws on all cloud instances, but those who run self-hosted instances need to manually apply the security update.
Finally, the company noted that investigations into the security incident are ongoing, and updates will be provided on its page when more information becomes available.
BeyondTrust told GeekFeed that the vulnerabilities have not been used to deploy ransomware and that their investigation is still ongoing.
“As of this time, we have not encountered any instances of ransomware. Our investigation is ongoing, and we are continuing to work with independent third-party cybersecurity firms to conduct a thorough investigation,” BeyondTrust told GeekFeed.
“At this time, BeyondTrust is focused on ensuring that all customer instances—both cloud and self-hosted—are fully updated and secure. Our priority remains supporting the limited number of customers impacted and safeguarding their environments. We will continue to provide regular updates via our website as our investigation progresses.”
They have not answered our question as to whether the flaws were exploited to breach their Remote Support SaaS instances and GeekFeed sent additional follow up questions.
However, CISA now says that the CVE-2024-12356 was exploited in attacks but did not share any further details.
