Cyber Incident Victim: BeyondTrust
Date:
Dec 2024
Location:
United States of America
Summary
A cybersecurity firm specializing in privileged access management experienced a breach of its Remote Support SaaS instances after attackers compromised an API key, enabling password resets for local accounts. The company revoked the key, suspended affected instances, and migrated customers to secure alternatives while investigating two subsequently discovered vulnerabilities—a critical unauthenticated command injection flaw and a medium-severity issue permitting admin-privileged command execution and file uploads. Although authorities confirmed exploitation of the critical vulnerability, the firm has not linked it directly to the incident and reported no ransomware deployment. Cloud instances were automatically patched, but self-hosted deployments require manual updates, with ongoing investigations and customer notifications continuing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
BeyondTrust, a privileged access management company, detected anomalous behavior on its network on December 2, 2024, initiating an investigation that confirmed threat actors had breached some Remote Support SaaS instances. The compromise involved unauthorized access to an API key for Remote Support SaaS, discovered during a root cause analysis on December 5, 2024. This key enabled attackers to reset passwords for local application accounts within the affected instances. BeyondTrust responded by immediately revoking the compromised API key, notifying known impacted customers, suspending compromised instances, and provisioning alternative Remote Support SaaS instances for affected users on the same day. The company did not confirm whether attackers leveraged the breached instances to target downstream customers. Investigations remained ongoing as of December 19, 2024, with BeyondTrust collaborating with independent third-party cybersecurity firms and providing updates via its website.
During the investigation, BeyondTrust identified two vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products. The first, CVE-2024-12356, was a critical command injection flaw disclosed on December 16, 2024, allowing unauthenticated remote attackers to execute operating system commands. The second, CVE-2024-12686, was a medium-severity vulnerability disclosed on December 18, 2024, permitting authenticated administrators to inject commands and upload malicious files. While BeyondTrust did not explicitly attribute the breach to these vulnerabilities, CISA confirmed CVE-2024-12356 had been exploited in attacks. BeyondTrust automatically patched all cloud instances but required self-hosted customers to apply updates manually. The company confirmed no ransomware deployment had been observed and reiterated the incident impacted only a limited subset of Remote Support SaaS customers. Final determinations regarding the attackers’ initial access vectors and full scope of the breach remained pending at the time of reporting.