Cyber Blog

State-linked hackers were implicated in a series of cyberattacks in December, resulting in the theft of unclassified data from the U.S. Treasury Department, among other incidents.

BeyondTrust confirmed that 17 customers were affected by the attack, which involved the compromise of a Remote Support SaaS API key. The attack, attributed to a state-linked threat actor, targeted several offices within the U.S. Treasury Department, granting hackers access to unclassified data.

The company stated that it collaborated with affected customers, providing them with artifacts, logs, indicators of compromise, and other critical information to assist in their investigations. BeyondTrust also shared relevant intelligence with law enforcement and threat information-sharing organizations.

During its investigation, BeyondTrust uncovered critical and medium-severity command injection vulnerabilities that were exploited during the attack. These vulnerabilities included:

• CVE-2024-12356 (Critical): Allows attackers to execute underlying commands as a site user.
• CVE-2024-12686 (Medium): Requires existing administrative privileges to exploit.

While BeyondTrust has not disclosed the exact role these CVEs played in the broader attack spree, the company assured that all SaaS instances of Remote Support have been patched. Additionally, BeyondTrust worked with self-hosted customers to ensure their systems were updated.

The Cybersecurity and Infrastructure Security Agency (CISA) has since added these vulnerabilities to its list of known exploited vulnerabilities. CISA is also collaborating with Treasury Department officials to assess the full scope of the compromise.

The extent of the attack has not been fully disclosed, but its implications prompted former Treasury Secretary Janet Yellen to publicly condemn cyberattacks from the People’s Republic of China. The Treasury Department recently took action against a Shanghai-based actor linked to these incidents.

In response to the attack and similar incidents, the Biden administration issued an Executive Order on cybersecurity aimed at strengthening federal security protocols. The order grants additional authorities to combat malicious actors targeting U.S. entities and underscores the administration’s commitment to enhancing federal cybersecurity measures.