Hack on Treasury Department, as per CISA, did not affect other federal bodies
In a significant cybersecurity incident, the U.S. Treasury Department fell victim to a December 2024 attack, which has been linked to threat actors associated with China. The attack, which targeted Treasury workstations, was facilitated through the compromise and misuse of a BeyondTrust Remote Support SaaS API key.
The compromised API key was used to bypass security controls, granting unauthorised remote access to Treasury Department workstations. This allowed the threat actors to move laterally within the network, conducting their malicious operations covertly.
The attack exposed several key vulnerabilities, including weaknesses in the management and protection of privileged access credentials. In this instance, inadequate controls around the issuance, rotation, and auditing of API keys enabled the attackers to use BeyondTrust credentials stealthily.
Additionally, insufficient real-time monitoring and anomaly detection in privileged remote access allowed the threat actors to operate undetected once inside the network. The attack also demonstrated risks inherent in third-party SaaS solutions, as a compromised solution could potentially provide adversaries with a backdoor into highly sensitive government systems.
BeyondTrust, the provider of the Remote Support tool, identified a critical command injection vulnerability (CVE-2024-12356) and a medium-severity vulnerability (CVE-2024-12686) during the investigation. BeyondTrust has since pushed patches to all self-hosted instances for these vulnerabilities.
However, BeyondTrust Remote Support & Privileged Remote Access instances continue to be exposed on the public internet, with researchers at Censys reporting over 13,500 such instances. Censys initially reported over 8,600 exposed instances but later updated the number after modifying its detection methods.
Censys cautioned last week that customers using BeyondTrust Remote Support & Privileged Remote Access should manually check their devices for accurate patching. No additional attacks have been reported since the patch, and all RemoteSupport SaaS instances have been fully patched.
The U.S. Treasury is expected to adopt more stringent API key policies, privileged access controls, and response mechanisms following this breach. No evidence suggests the attack has affected other federal agencies, but it underscores the need for strengthened privileged access management, comprehensive API key security, and enhanced continuous monitoring of third-party remote support tools within critical government infrastructure.
BeyondTrust notified Treasury officials last month about a stolen key for cloud-based remote technical support, and the company is close to finishing a forensic investigation of the attack. No official comment has been made by BeyondTrust or federal officials regarding whether the identified vulnerabilities played a direct role in the attacks against the Treasury Department workstations.
The incident aligns with broader trends of Chinese-linked cyber threat actors conducting sophisticated supply chain and privileged access exploits against U.S. government targets to gain espionage advantages and establish cyber persistent presence. It serves as a reminder for organisations to prioritise their API key security and privileged access management practices to safeguard their systems and data.
- The U.S. Treasury Department's cybersecurity incident in December 2024, linked to Chinese threat actors, highlighted vulnerabilities in the management and protection of privileged access credentials, as inadequate controls around API keys enabled the attackers to use BeyondTrust credentials stealthily.
- The attack against the Treasury Department workstations also demonstrated risks inherent in third-party SaaS solutions, as a compromised solution could potentially provide adversaries with a backdoor into highly sensitive government systems.
- BeyondTrust, the provider of the Remote Support tool, identified critical and medium-severity vulnerabilities during the investigation, and although patches have been pushed to all self-hosted instances, BeyondTrust Remote Support & Privileged Remote Access instances continue to be exposed on the public internet.
