dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

BeyondTrust Zero-Day Breach Exposed 17 SaaS Customers via Compromised API Key

Avatar
info@thehackernews.com (The Hacker News)
February 1, 2025
BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the company’s Remote Support SaaS instances by making use of a compromised API key. The company said the breach involved 17 Remote Support SaaS customers and that the API key was used to enable unauthorized access by resetting local application passwords. The breach was first flagged
Total
0
Shares
0
0
0

BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the company’s Remote Support SaaS instances by making use of a compromised API key.

The company said the breach involved 17 Remote Support SaaS customers and that the API key was used to enable unauthorized access by resetting local application passwords. The breach was first flagged on December 5, 2024.

“The investigation determined that a zero-day vulnerability of a third-party application was used to gain access to an online asset in a BeyondTrust AWS account,” the company said this week.

“Access to that asset then allowed the threat actor to obtain an infrastructure API key that could then be leveraged against a separate AWS account which operated Remote Support infrastructure.”

The American access management company did not name the application that was explored to obtain the API key, but said the probe uncovered two separate in its own products (CVE-2024-12356 and CVE-2024-12686).

BeyondTrust has since revoked the compromised API key and suspended all known affected customer instances, while also providing them with alternative Remote Support SaaS instances.

It’s worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2024-12356 and CVE-2024-12686 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The exact details of the malicious activity are presently not known.

The development comes as the U.S. Treasury Department said it was one of the affected parties. No other federal agencies are assessed to have been impacted.

The attacks have been attributed to a China-linked hacking group dubbed Silk Typhoon (formerly Hafnium), with the agency imposing sanctions against a Shanghai-based cyber actor named Yin Kecheng for his alleged involvement in the breach of the Treasury’s Departmental Offices network.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Meta Confirms Zero-Click WhatsApp Spyware Attack Targeting 90 Journalists, Activists

February 1, 2025
Next Post

U.S. and Dutch Authorities Dismantle 39 Domains Linked to BEC Fraud Network

February 1, 2025
Related Posts
2 min

Sticky Werewolf Uses Undocumented Implant to Deploy Lumma Stealer in Russia and Belarus

The threat actor known as Sticky Werewolf has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Stealer malware by means of a previously undocumented implant. Cybersecurity company Kaspersky is tracking the activity under the name Angry Likho, which it said bears a "strong resemblance" to Awaken Likho (aka Core Werewolf, GamaCopy, and
Avatar
info@thehackernews.com (The Hacker News)
February 28, 2025
Read More