Privileged access management company BeyondTrust suffered a cyberattack in early December after threat actors breached some of its Remote Support SaaS instances.
BeyondTrust is a cybersecurity company specializing in Privileged Access Management (PAM) and secure remote access solutions. Their products are used by government agencies, tech firms, retail and e-commerce entities, healthcare organizations, energy and utility service providers, and the banking sector.
The company says that on December 2nd, 2024, it detected “anomalous behavior” on its network. An initial investigation confirmed that threat actors compromised some of its Remote Support SaaS instances.
After further investigation, it was discovered that hackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts.
“BeyondTrust identified a security incident that involved a limited number of Remote Support SaaS customers,” reads the announcement.
“On December 5th, 2024, a root cause analysis into a Remote Support SaaS issue identified an API key for Remote Support SaaS had been compromised.”
“BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers.”
It is unclear if the threat actors were able to use the compromised Remote Support SaaS instances to breach downstream customers.
Critical vulnerability discovered
As part of the company’s investigation into the attack, it discovered two vulnerabilities, one on December 16th and the other on the 18th.
The first one, tracked as CVE-2024-12356, is a critical command injection flaw impacting the Remote Support (RS) and Privileged Remote Access (PRA) products.
“Successful exploitation of this vulnerability can allow an unauthenticated, remote attacker to execute underlying operating system commands within the context of the site user,” reads the description of the flaw.
The second issue, tracked as CVE-2024-12686, is a medium-severity vulnerability on the same products, allowing attackers with admin privileges to inject commands and upload malicious files on the target.
Although not explicitly mentioned, it’s possible that the hackers leveraged the two flaws as zero days to gain access to BeyondTrust systems or as part of their attack chain to reach customers.
However, BeyondTrust has not marked the flaws as actively exploited in either advisory.
BeyondTrust says they automatically applied patches for the two flaws on all cloud instances, but those who run self-hosted instances need to manually apply the security update.
Finally, the company noted that investigations into the security incident are ongoing, and updates will be provided on its page when more information becomes available.
BleepingComputer contacted BeyondTrust for more information about the incident, and we will update this post when we hear back.