CISA has tagged a command injection vulnerability (CVE-2024-12686) in BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) as actively exploited in attacks.
As mandated by the Binding Operational Directive (BOD) 22-01, after being added to CISA’s Known Exploited Vulnerabilities catalog, U.S. federal agencies must secure their networks against ongoing attacks targeting the flaw within three weeks by February 3.
On December 19, the U.S. cybersecurity agency also added a critical command injection security bug (CVE-2024-12356) in the same BeyondTrust software products.
BeyondTrust found both vulnerabilities while investigating the breach of some of its Remote Support SaaS instances in early December. The attackers stole an API key, which they later used to reset passwords for local application accounts.
While BeyondTrust’s December disclosure didn’t explicitly mention it, the threat actors likely leveraged the two flaws as zero days to hack into BeyondTrust systems to reach its customers.
In early January, the Treasury Department disclosed that its network was breached by attackers who used a stolen Remote Support SaaS API key to compromise a BeyondTrust instance used by the agency.
Since then, the attack has been linked to Chinese state-backed hackers known as Silk Typhoon. This cyber-espionage group, known for reconnaissance and data theft attacks, became widely known after compromising an estimated 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days.
The threat actors specifically targeted the Office of Foreign Assets Control (OFAC), which administers trade and economic sanctions programs, and the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks.
They also hacked into the Treasury’s Office of Financial Research systems, but the impact of this incident is still being assessed. Silk Typhoon is believed to have used the stolen BeyondTrust digital key to access “unclassified information relating to potential sanctions actions and other documents.”
BeyondTrust says it applied security patches for the CVE-2024-12686 and CVE-2024-12356 flaws on all cloud instances. However, those running self-hosted instances must deploy the patches manually.
The company has yet to mark the two security vulnerabilities as actively exploited in security advisories issued last month.