New BeyondTrust Vulnerability: Clients’ Confidential API Keys Stolen

In today’s world, cyber threats are becoming increasingly sophisticated, and attacks on major technology companies are growing more dangerous. Earlier this year, BeyondTrust, a leading company in the field of Identity and Access Management (IAM), fell victim to a cyberattack. As a result, 17 clients using the Remote Support SaaS platform were affected, with their infrastructure API keys stolen.

It is suspected that this cyberattack was carried out by the Silk Typhoon (formerly Hafnium) hacker group, which is linked to China and specializes in cyber-espionage. Once the threat was confirmed, U.S. federal agencies and law enforcement launched an investigation. Meanwhile, BeyondTrust immediately implemented security measures to mitigate the attack’s impact.

How Did the Attack Happen?

Initially, BeyondTrust Remote Support SaaS detected unusual activity in its system. A detailed investigation revealed that attackers exploited a new (zero-day) vulnerability in a third-party application, allowing them to obtain an infrastructure API key. Using this key, the attackers reset local application passwords and gained unauthorized access to the Remote Support SaaS systems.

The investigation uncovered two critical vulnerabilities:

• CVE-2024-12356 – A critical command injection vulnerability that allows unauthenticated attackers to execute remote operating system commands.
• CVE-2024-12686 – A medium-severity vulnerability that enables an attacker with administrator privileges to upload malicious files and execute commands on the system.

These vulnerabilities were actively exploited in the wild, meaning attackers had already been using them. As a response, BeyondTrust released security updates for all cloud-based systems and strongly recommended that on-premises customers manually apply the necessary patches.

It has been confirmed that the Silk Typhoon group was behind the attack, and reports indicate that the stolen API key was used to access non-classified data from the U.S. Department of the Treasury.

Actions Taken by BeyondTrust

✔ Revoked the compromised API key;
✔ Isolated affected SaaS systems and provided alternative environments to impacted clients;
✔ Partnered with an independent cybersecurity firm to investigate the attack;
✔ Cooperated with federal law enforcement agencies, providing relevant information about the incident;
✔ Released security updates for all SaaS customers;
✔ Provided affected clients with logs, Indicators of Compromise (IOCs), and other investigative findings.

BeyondTrust’s Security Recommendations

✅ Regularly update systems and apply the latest security patches;
✅ Use external authentication services (e.g., SAML) instead of local accounts;
✅ Configure alerts for suspicious session activities;
✅ Integrate SIEM systems to monitor and analyze security events;
✅ Follow the principle of least privilege to limit user access rights.

Conclusion

This cyberattack once again highlights the complexity and severity of modern cyber threats. In particular, API keys, which serve as an unconventional authentication method, can lead to serious security breaches if not adequately protected.

To defend against such attacks, organizations must:

🔹 Generate API keys with time-based expiration;
🔹 Strictly limit their scope of usage;
🔹 Continuously monitor API activity;
🔹 Use firewalls and SIEM systems to detect suspicious behavior.

The attack on BeyondTrust put many clients’ security at risk and demonstrated the critical danger of zero-day vulnerabilities. To protect against such threats, companies must regularly update their systems, enforce strict security protocols, and implement advanced monitoring technologies.

Ensuring cybersecurity should be a top priority for every organization!