BeyondTrust Zero-Day Breach – 17 SaaS Customers API Key Compromised

BeyondTrust, a leading identity and access management firm, disclosed a critical security breach impacting 17 customers of its Remote Support SaaS platform.

The breach was attributed to the exploitation of zero-day vulnerabilities and has since been linked to the China-based hacking group Silk Typhoon. 

While U.S. federal agencies and law enforcement continue their investigations, BeyondTrust has taken measures to fix the issue.

The breach was discovered after BeyondTrust saw unusual activity in their Remote Support SaaS system. A root cause analysis revealed that an infrastructure API key had been compromised by a zero-day vulnerability in a third-party application.

This allowed attackers to reset local application passwords and gain unauthorized access to certain Remote Support SaaS instances.

Exploiting Critical Zero-day Vulnerabilities

The attackers exploited a critical zero-day vulnerability in a third-party application to access an online asset in BeyondTrust’s AWS account. 

This access enabled them to obtain an infrastructure API key, which was then used against another AWS account operating the Remote Support infrastructure. 

The two vulnerabilities identified during the investigation are:

• CVE-2024-12356: A critical command injection flaw allowing unauthenticated attackers to execute operating system commands remotely.
• CVE-2024-12686: A medium-severity vulnerability enabling administrative users to upload malicious files and inject commands.

Both vulnerabilities were actively exploited in the wild, prompting BeyondTrust to issue patches for all cloud-based instances while urging self-hosted customers to apply updates manually.

The attack has been attributed to Silk Typhoon (formerly Hafnium), a China-linked cyber-espionage group known for targeting government entities and critical infrastructure. 

The group reportedly accessed unclassified data from the U.S. Treasury Department using the stolen API key.

“No BeyondTrust products outside of Remote Support SaaS were affected. No FedRAMP instances were affected. No other BeyondTrust systems were compromised, and ransomware was not involved”, the company said.

BeyondTrust implemented several immediate actions following the breach:

• Revoked the compromised API key.
• Quarantined affected customer instances and provided alternative Remote Support SaaS environments.
• Engaged a third-party forensics firm for investigation.
• Coordinated with federal law enforcement and shared threat intelligence with relevant agencies

Additionally, BeyondTrust applied patches for discovered vulnerabilities across all SaaS instances and continues to support affected customers by providing logs, indicators of compromise (IOCs), and other forensic artifacts.

Recommendations

• Keeping self-hosted instances up-to-date with patches.
• Leveraging external authentication providers like SAML over local accounts.
• Configuring outbound event notifications for session activities.
• Integrating with SIEM systems for monitoring suspicious activity.
• Enforcing least privilege principles for user roles and endpoint access

This breach underscores the growing risks associated with non-human identities, such as API keys, when combined with software vulnerabilities. Organizations are urged to adopt robust security practices to safeguard against similar exploits.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.