BeyondTrust revealed that a breach occurred in its Remote Support and Privileged Remote Access SaaS products earlier this month. The privileged access management vendor issued a security bulletin on Dec. 8, where they highlighted that suspicious activity was detected among a small number of Remote Support SaaS customers. It was discovered during a root cause analysis on Dec. 5 that an API key for the remote support SaaS tools had been compromised. As a precautionary measure, BeyondTrust immediately revoked the key, informed affected customers, and suspended the compromised instances.
The security bulletin stated, “A compromised Remote Support SaaS API key was identified, which allowed for password resets of local application accounts, and was promptly revoked.” Subsequently, BeyondTrust disclosed two vulnerabilities in its Privileged Remote Access and Remote Support tools in recent updates. The first vulnerability, CVE-2024-12686, was classified as medium-severity, while the second flaw, CVE-2024-12356, was deemed high-severity with a CVSS score of 9.8 out of 10.
It is uncertain whether these vulnerabilities were exploited in attacks on Remote Support SaaS instances. While BeyondTrust issued separate security advisories for the vulnerabilities, there was no mention of any exploitation activity. However, the Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2024-12356 in its Known Exploited Vulnerabilities list. BeyondTrust’s advisory cautioned that exploitation of CVE-2024-12356 could potentially enable an unauthenticated attacker to inject commands that would be executed as a site user.
Both vulnerabilities were characterized as command injection vulnerabilities, though the extent of the impact on customers from the compromised instances and vulnerability exploitation remains unclear. On Dec. 16, BeyondTrust took prompt action by patching all cloud instances and releasing a patch for self-hosted versions. The company assured that there would be no downtime required to update the self-hosted versions. According to the updated security bulletin, only Remote Support SaaS products were affected based on the initial investigation.
BeyondTrust emphasized that they are actively collaborating with affected customers while conducting an ongoing investigation. A BeyondTrust spokesperson stated, “Our investigation is ongoing, and we are continuing to work with independent third-party cybersecurity firms to conduct a thorough investigation.” The focus is currently on ensuring that all customer instances, whether on the cloud or self-hosted, are fully updated and secure. The company’s main priority is to support the impacted customers and safeguard their environments, with regular updates provided via their website as the investigation progresses.
The breach at BeyondTrust is the latest incident involving an identity and access management vendor. In October, Okta confirmed that attackers exploited stolen credentials to access its support case management system. Initially stated to impact 1% of customers, Okta later revealed that all customers were affected. BeyondTrust, along with 1Password, who were also affected by the Okta breach, took the initiative to detect and report the activity to Okta on Oct. 2.
As the investigation unfolds, BeyondTrust remains committed to addressing the breach, supporting affected customers, and ensuring the security of their products and services. With cybersecurity threats on the rise, companies like BeyondTrust continue to prioritize the protection of customer data and bolstering their defenses against malicious attacks.