Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Cyber-crime

US Treasury Department outs the blast radius of BeyondTrust's key leak

Data pilfered as miscreants roamed affected workstations

Richard Speed Tue 31 Dec 2024  //  15:30 UTC

The US Department of the Treasury has admitted that miscreants were in its systems, accessing documents in what has been called a "major incident."

A letter shared by Reuters with the Chairman of the Committee on Banking, Housing, and Urban Affairs described the sequence of events. On December 8, the Treasury was notified by BeyondTrust that a key used for remote technical support had been pilfered, meaning that a threat actor could access some Departmental Office workstations and unclassified files.

Agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have been working with the Treasury to understand the incident. Third-party forensic investigators have also been called in.

According to the Treasury, "Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor."

The Register contacted China's Ministry of Foreign Affairs to get its take, but we have not received a response.

The BeyondTrust incident was reported by The Register earlier this month and involved the compromise of an API key for its Remote Support SaaS product. The key was swiftly revoked, but there were at least a few days in which attackers could have roamed around affected systems.

According to the Treasury Department, "The compromised BeyondTrust service has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information." The Register asked the Department of the Treasury for more information on what had been accessed, but we have yet to receive a response.

In its letter, the organization said a more detailed report would be forthcoming in 30 days, and "In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident."

The US Department of the Treasury's admission gives an insight into what a vendor's SaaS incident can mean for customers. During its investigation, BeyondTrust has identified vulnerabilities and pushed out patches for self-hosted versions of its software. For its cloud customers, it performed an update "fortifying the security of their solution overall."

Writing on Mastodon, cyber security researcher Kevin Beaumont had a warning for Software-as-a-Service users: "One thing every org needs to start to plan for: SaaS provider breaches. What's your playbook for when your SaaS provider gets breached?

"In the case of BeyondTrust, they released some CVEs and patches for the on prem software – but didn't say much of anything about their SaaS platform.

"The US govt just outed them for the customer impact side."

Notably, BeyondTrust has confirmed in its advisory that "all cloud instances have been patched for this vulnerability" by mid-December.

The outfit added, "We continue to communicate, and work closely with, all known affected customers." ®
Send us news
16 Comments

Chinese cyber-spies reportedly targeted sanctions intel in US Treasury raid

OFAC, Office of the Treasury Secretary feared hit in data-snarfing swoop

Feds sue Southwest for chronic delays, unrealistic schedules

Department of Transportation wants in on last-minute Biden administration action too

Four plead guilty in US government tech procurement fraud case

Scheme involving bribes, bid rigging and insider info may have cost US taxpayers $1.3M

Nvidia snaps back at Biden's 'innovation-killing' AI chip export restrictions

'New rule threatens to squander America's hard-won technological advantage' says GPU supremo

Chinese cyber-spies peek over shoulder of officials probing real-estate deals near American military bases

Gee, wonder why Beijing is so keen on the – checks notes – Committee on Foreign Investment in the US

I tried hard, but didn't fix all of cybersecurity, admits outgoing US National Cyber Director

In colossal surprise, ONCD boss Harry Coker says more work is needed

US bipartisan group publishes laundry list of AI policy requests

Chair Jay Obernolte urges Congress to act – whether it will is another matter

US reportedly mulls TP-Link router ban over national security risk

It could end up like Huawei -Trump's gonna get ya, get ya, get ya

US airspace closures, lack of answers deepen East Coast drone mystery

Feds insist they still don't know what's happening – but note sightings cluster around airport flight paths

China gorging on silicon before Uncle Sam slams the door

Chip imports up more than 14% this year in anticipation of fresh restrictions

Elon Musk tops US political donor list with $270M+ for Team Trump

Plus, xAI scores another $6B to fuel Tesla tycoon's war on OpenAI

US senators propose law to require bare minimum security standards

In case anyone forgot about Change Healthcare