In December 2024, the U.S. Department of the Treasury experienced a cybersecurity breach due to a compromised API key from BeyondTrust’s Remote Support SaaS. A Chinese state-sponsored Advanced Persistent Threat (APT) actor exploited the stolen key to bypass security measures, gaining remote access to Treasury workstations and unclassified documents. BeyondTrust detected anomalous activity on December 2 and identified the API key compromise by December 5, promptly revoking the key, notifying affected customers, and suspending impacted instances. The Treasury was informed on December 8 and worked with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to mitigate the impact. The breach highlights the critical risks of insecure third-party integrations and underscores the importance of securing sensitive systems.
BeyondTrust disclosed that attackers used the compromised API key to reset application passwords and override security features, enabling the breach. Further investigation uncovered two vulnerabilities in BeyondTrust’s products: CVE-2024-12356, a critical command injection flaw with a CVSS score of 9.8, and CVE-2024-12686, a medium-severity issue allowing administrative command execution. The critical vulnerability has been actively exploited and added to CISA's Known Exploited Vulnerabilities catalog. In response, BeyondTrust issued advisories and patched the vulnerabilities in affected products, while Treasury removed the BeyondTrust service from its environment, reporting no further evidence of attacker access.